Exposed .env File - app.example.com

An exposed .env file was detected on app.example.com. The file /.env is publicly accessible and contains environment variables used for configuration and secrets, including database connection strings, Redis URL, NextAuth secret, Stripe key, and AWS credentials. Such files must never be served by the web server.

• •Credential theft: Attackers can use database URLs, API keys, and secrets to access your backend, payment systems, or cloud resources.
• •Account takeover: NEXTAUTH_SECRET and JWT_SECRET can be used to forge sessions or tokens.
• •Lateral movement: Stolen AWS or Stripe keys enable further compromise of linked services.
• •Compliance: Exposure of secrets often violates PCI-DSS, SOC2, and similar frameworks.

Visit https://app.example.com/.env. A vulnerable server returns HTTP 200 with key-value pairs (e.g. DATABASE_URL=, NEXTAUTH_SECRET=, STRIPE_SECRET_KEY=). A fixed deployment returns 403, 404, or does not serve the file.

# Database
DATABASE_URL=postgresql://app_user:xK9%23mN2%[email protected]:5432/app_db
REDIS_URL=redis://:[email protected]:6379/0

# NextAuth
NEXTAUTH_SECRET=8f4a2c1b9e7d3f6a5c8b0e2d1a4f7c9b3e6d
NEXTAUTH_URL=https://app.example.com

# API Keys (do not commit)
STRIPE_SECRET_KEY=sk_live_51Ab2Cd3Ef4Gh5Ij6Kl7Mn8Op9Qr0St1Uv2Wx3Yz4
AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
JWT_SECRET=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.example.signature

• •Remove .env from web root and ensure the document root does not include config or secret files.
• •Block access at the server/WAF: Deny requests to /.env, /.env.local, /.env.* and return 403 or 404.
• •Rotate all exposed secrets immediately: database passwords, API keys, NEXTAUTH_SECRET, Stripe, AWS, JWT.
• •Use a secrets manager (e.g. AWS Secrets Manager, HashiCorp Vault) and inject env at runtime instead of storing .env in the repo or server filesystem.