shipshape

← Learn

My .env file is downloadable — what to do

If /.env loads in a browser, attackers can grab every secret in it. Here is how it happens, how to confirm it, and how to fix and recover.

Your .env file holds your secrets — database URLs, API keys, tokens. If it’s publicly downloadable, anyone can open https://your-app.com/.env and read all of them. Bots scan for this constantly.

How it happens

It usually means your whole project directory is being served as static files, instead of just your built dist/public output. Misconfigured static hosting, or deploying the project root, is the usual cause. The same mistake often exposes /.git (your full source history) and config files.

Confirm it

Open these in a browser: /.env, /.env.local, /.env.production, /.git/HEAD. If any returns file contents instead of your app or a 404, it’s exposed.

Fix it

  1. Serve only your build output directory, not the project root.
  2. Block dotfiles at your host/CDN (deny paths starting with a dot).
  3. Rotate every secret that was in the exposed file — assume they’re all compromised.

Shipshape checks for a downloadable /.env, /.git, and database dumps on every scan — confirmed by reading the actual content, so it’s not a guess. → Scan your app free

FAQ

How do I know if my .env is exposed?
Open /.env (and /.env.local, /.env.production) in a browser. If it returns file contents instead of a 404 or your app, it is publicly downloadable.

What do I do if my .env was downloadable?
Stop serving the project root (serve only your build output), block dotfiles at your host, and rotate every secret that was in the file — treat them all as compromised.

Is an exposed .git folder just as bad?
Yes. An exposed /.git lets attackers reconstruct your full source code and history, including any secrets ever committed.

Related questions

Check your own app
Free passive scan, ~10 seconds, no login.