Skip to content

Exposed .env scanner

Check if your app is serving its .env file to the public

A misconfigured deploy can serve your .env file to anyone who requests it. That file often holds database URLs, API keys, and other secrets that give an attacker a foothold.

A sample of what you might see

criticalReachable .env file

A request to /.env returned environment variables. Anyone can read them, so any secret in there should be rotated.

{ "DATABASE_URL": "postgres://•••", "API_KEY": "••••" }

Illustrative, redacted. We never store your data.

The scan requests the common config paths from the outside and tells you if any of them are reachable. It reads only, and redacts any sample before you see it.

JavaScript and TypeScript apps today. The scan is passive and outside-in. How the scanner stays safe.

Questions

What files does it check?

Common config and metadata paths a misconfigured deploy might serve, such as .env, .git, and source maps. It only requests them, never writes.

What do I do if my .env is reachable?

Block public access to it immediately and rotate any secret it contained. We can fix the config and prove it in a reviewable pull request.

Which check do I need?

Related