Exposed .env scanner
Check if your app is serving its .env file to the public
A misconfigured deploy can serve your .env file to anyone who requests it. That file often holds database URLs, API keys, and other secrets that give an attacker a foothold.
A sample of what you might see
A request to /.env returned environment variables. Anyone can read them, so any secret in there should be rotated.
{ "DATABASE_URL": "postgres://•••", "API_KEY": "••••" }Illustrative, redacted. We never store your data.
The scan requests the common config paths from the outside and tells you if any of them are reachable. It reads only, and redacts any sample before you see it.
JavaScript and TypeScript apps today. The scan is passive and outside-in. How the scanner stays safe.
Questions
What files does it check?
Common config and metadata paths a misconfigured deploy might serve, such as .env, .git, and source maps. It only requests them, never writes.
What do I do if my .env is reachable?
Block public access to it immediately and rotate any secret it contained. We can fix the config and prove it in a reviewable pull request.
Which check do I need?
Check my live app
Scan a deployed URL for what it leaks to any visitor: exposed keys, open databases, reachable files.
Free instant scan →
Check my repo / CI hygiene
Review your GitHub Actions and repository config for security gaps in how you build and ship.
Repo & CI check →
Get it fixed
We verify the issues, fix them, and prove the fix in a reviewable pull request.
See packages →