env
3 articles with this tag
Keeping .env off the public web on shared hosting
The real fix: app body outside the docroot, only public/ exposed. Stop the bleeding with .htaccess, make it permanent by restructuring, then self-check. ITD's view: this isn't one person's slip but an industry-standardized bad pattern — fix it with process, not vigilance. bootstrap-redirect beats symlink.
Security basics: what's actually dangerous about .env and API keys
Start here. Understand what happens when .env and API keys leak (spare key → impersonation → fraudulent billing), then adopt four habits today: don't expose them, don't commit them, rotate everything if leaked, and self-check.
What is .env — what happens when an environment file leaks
.env holds an app's secrets (DB auth, API keys, encryption keys). Because the keys are gathered in one file, exposure leaks every secret at once. Keep the app outside the docroot, never commit it to git, and rotate everything if it leaks.