1 article with this tag
.env holds an app's secrets (DB auth, API keys, encryption keys). Because the keys are gathered in one file, exposure leaks every secret at once. Keep the app outside the docroot, never commit it to git, and rotate everything if it leaks.