Fix guide · critical · exposed_env_file

.env file accessible at your public root

Why it matters

The .env file typically contains every secret your app uses: database connection strings, API keys for every service, JWT signing secrets, OAuth client secrets. Treat all of them as compromised.

How to fix it

1. Rotate every secret in the .env file. All of them. Now.
2. Block the file path in your deploy config so the file can never be served:

Cloudflare Pages (public/_redirects):

/.env*  /404  404

Vercel (vercel.json):

{
  "rewrites": [{ "source": "/.env(.*)", "destination": "/404" }]
}

Netlify (netlify.toml):

[[redirects]]
from = "/.env*"
to = "/404"
status = 404

Nginx:

location ~ /\.env { deny all; return 404; }

Apache (.htaccess):

RedirectMatch 404 /\.env

1. Verify .env is in .gitignore and check git history with git log --all -- .env. If ever committed, even briefly, treat every secret in those commits as compromised forever — automated scrapers harvest within hours.
2. Configure your build to exclude .env from the deployment artifact:

• Vite: .env stays out of dist/ by default; verify your publicDir doesn't redirect to your source.
• Next.js: env is read at build time, files aren't deployed.
• Static export tools: explicitly exclude in your .dockerignore / build config.

1. Add a CI gate: vibecheck https://your-deploy.com --exit-on critical.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.