Critical severity

Exposed `.env` File

A `.env` file served by the web server exposes every credential the application uses: database URLs, API keys, signing secrets, cloud credentials, and more.

Business risk

This is the single highest-severity finding in most WebShield scans because a `.env` almost always contains full-access credentials. Laravel apps commonly expose `.env` when the document root is set to the project root instead of `/public`. Public research in 2025 cataloged hundreds of exposed Laravel `APP_KEY` values in the wild, with the majority sitting alongside at least one additional production credential (S3 keys, Stripe keys, database passwords). A single exposed `.env` is often the entire blast radius of a company compromise.

Technical details

Rotate before you patch. If the file was reachable for any length of time, assume it was scraped. Scanners index `.env` paths continuously. Rotate every secret in the file, then update the web server config to block dotfiles, then fix the underlying deployment problem (usually: document root pointing at the project root instead of `public/`). Finally, remove the file from git history if it was ever committed.

How to detect it

Attackers scan for a standard list of `.env` variants continuously. Probe every one of them. A `200 OK` with any content is a critical finding - the cleartext value of your API keys is public the moment the URL works once.

Probe the canonical names

for f in .env .env.local .env.production .env.backup .env.old .env.dev .env.staging; do
  printf "%-20s %s\n" "$f" "$(curl -s -o /dev/null -w '%{http_code}' https://yourdomain.com/$f)"
done

Probe framework-specific variants

for f in config.php wp-config.php config.yml secrets.json credentials.json; do
  printf "%-20s %s\n" "$f" "$(curl -s -o /dev/null -w '%{http_code}' https://yourdomain.com/$f)"
done

Common pitfalls

Patching before rotating. The file has been scraped - every second the web server returned 200 was a chance for a scanner to capture it. Rotate first, then patch.
Blocking `/.env` but leaving `/.env.local`, `/.env.production`, or `/.env.backup`. Attackers probe a list of 20+ variants. Block the whole dotfile class at the web server.
Having the Laravel document root set to the project root (`/var/www/laravel`) instead of `/var/www/laravel/public`. Until the document root is fixed, every block rule is a workaround.
Assuming the file is safe because the staging or dev variant leaked. Keys from dev and staging are often identical to production because of lazy environment propagation.
Forgetting that `.env` committed to git will remain in history even after deletion. Use `git filter-repo` to scrub the history, and plan on rotating anyway.

Remediation guide

Blocks every file starting with a dot except .well-known.

location ~ /\.(?!well-known) {
    deny all;
    return 404;
    access_log off;
}

nginx

External references

Frequently asked questions

My .env was exposed for a few minutes. Do I really need to rotate everything?

Yes. Automated scanners index `.env` paths 24/7 - the probability of capture during a multi-minute window is effectively 100%. Rotate every credential in the file, in the order listed in the rotation checklist.

Are Vercel, Netlify, or Cloudflare Pages safe by default?

Yes. All three publish only the build output directory, so a `.env` at repo root is never served. But if you commit `.env` to git, the next developer who sets up a different hosting environment inherits the problem. Never commit it.

What about .env.example?

Safe to commit and safe to serve. It should contain variable names with dummy values, no real secrets. Make that distinction explicit in your README so contributors do not accidentally commit the real file.

Keep going

Related guide

Exposed `.git` Directory

Critical severity · Exposure

Related guide

Server Information Leakage

Low severity · Misc

Related guide

Insecure Cookies

Medium severity · Cookies

Free tool

security.txt Checker

Make it obvious how to report vulnerabilities - the RFC 9116 way.

Verify your fix

Applied the configuration change? Run a live scan to confirm the vulnerability is patched.

Business risk

Technical details

How to detect it

Probe the canonical names

for f in .env .env.local .env.production .env.backup .env.old .env.dev .env.staging; do
  printf "%-20s %s\n" "$f" "$(curl -s -o /dev/null -w '%{http_code}' https://yourdomain.com/$f)"
done

Probe framework-specific variants

for f in config.php wp-config.php config.yml secrets.json credentials.json; do
  printf "%-20s %s\n" "$f" "$(curl -s -o /dev/null -w '%{http_code}' https://yourdomain.com/$f)"
done

Common pitfalls

Patching before rotating. The file has been scraped - every second the web server returned 200 was a chance for a scanner to capture it. Rotate first, then patch.

Blocking `/.env` but leaving `/.env.local`, `/.env.production`, or `/.env.backup`. Attackers probe a list of 20+ variants. Block the whole dotfile class at the web server.

Having the Laravel document root set to the project root (`/var/www/laravel`) instead of `/var/www/laravel/public`. Until the document root is fixed, every block rule is a workaround.

Assuming the file is safe because the staging or dev variant leaked. Keys from dev and staging are often identical to production because of lazy environment propagation.

Forgetting that `.env` committed to git will remain in history even after deletion. Use `git filter-repo` to scrub the history, and plan on rotating anyway.

Frequently asked questions

My .env was exposed for a few minutes. Do I really need to rotate everything?

Are Vercel, Netlify, or Cloudflare Pages safe by default?

What about .env.example?