A .env file holds your application's real secrets — database passwords, API keys, third-party credentials — in plain text. If it's sitting in your site's public web root, anyone who requests yoursite.com/.env can read every one of those secrets directly.
An exposed .env file reveals database credentials, API keys, and secret tokens — complete account compromise in seconds. This is one of the most common and catastrophic misconfigurations.
https://yoursite.com/.env returns a 403 or 404, and every credential that was in the file has been rotated.
Fix it, then re-scan — the check confirms itself. No manual checkbox, the scan is the truth.
Run this check in H.I.V.E. →