← Scan your domain

Why Are Your Secrets or API Keys Exposed?

Exposed secrets are one of the most dangerous production mistakes - scrapers and bots scan GitHub and common URLs for leaked credentials within minutes of exposure. If your API keys, database passwords, or .env file are publicly accessible, assume they have already been read. Here is what to check and how to fix it.

Why this happens

critical

.env file is publicly accessible at /.env

When a project is deployed from the project root instead of the build output folder, the .env file becomes publicly accessible at yourdomain.com/.env. Anyone can visit that URL and read your database passwords, API keys, and OAuth secrets in plain text. This is extremely common on misconfigured VPS and shared hosting deployments.

How to Secure Your .env File →
critical

.git directory is accessible - full source code downloadable

If yourdomain.com/.git/config returns a 200 response, your entire git history is downloadable. This includes every file ever committed - even secrets you deleted in a later commit. Attackers can reconstruct your full source code and extract credentials that were committed at any point in time.

How to Block .git Directory Access →
critical

API keys hardcoded in frontend JavaScript

Any key in your frontend JavaScript - including bundled React, Vue, or Svelte code - is visible to anyone who opens browser DevTools. Bots scan public GitHub repos and sites for patterns matching API keys (OpenAI, Stripe, AWS) within minutes of publication. Secret keys must stay on the server.

How to Remove Exposed API Keys →

Not sure which of these apply to your domain?
Run a free scan - 26 checks in under 10 seconds.

No signup. No install. Just enter your domain.

Frequently asked questions

How quickly can exposed secrets be exploited?
Within minutes. Automated bots continuously scan GitHub commits, public source code, and common URL paths (/.env, /.git/config) looking for credentials. GitGuardian has documented cases where secrets were accessed within 4 seconds of a GitHub push. Treat any exposure as an immediate incident: rotate credentials first, then fix the leak.
I removed the secret from my code - am I safe?
Not necessarily. If the secret was ever committed to git, it still exists in git history even after deletion. Anyone who cloned the repo or downloaded it before your fix still has the secret. Rotate the credential regardless, and use git filter-repo or BFG Repo Cleaner to remove it from history if the repo is public.
How do I check if my .env is exposed?
Visit https://yourdomain.com/.env in a browser. If you see your environment variables, it's exposed. Also check https://yourdomain.com/.git/config. Use didyouship.com to run an automated scan that checks both endpoints plus looks for API key patterns in your page source.
What should I do if I find my secrets were exposed?
1. Rotate all credentials immediately - assume they were read. 2. Check provider dashboards for unexpected API usage (OpenAI, Stripe, AWS). 3. Fix the deployment configuration so the secret is no longer accessible. 4. Review git history and remove secrets using git filter-repo. 5. Add pre-commit hooks or GitGuardian to prevent future leaks.

Fix guides

How to Secure Your .env File How to Block .git Directory Access How to Remove Exposed API Keys

Other common problems

Why Are Your Emails Going to Spam? Why Isn't Your Website Showing in Google? Why Do Your Links Look Bad When Shared? Why Does Your Website Say "Not Secure"? Why Is Your Website Loading Slowly? Why Is Your Website Broken on Mobile? Why Doesn't www.yourdomain.com Work? Why Do Your Broken Links Show a Bare Error Page?