Home / Tools / Verify .env and credential files are not publicly accessible
Exposed Files · Scan Check Guide

Verify .env and credential files are not publicly accessible

15 min Impact: high Effort: low ✓ Scan-verified — no manual checkbox

A .env file holds your application's real secrets — database passwords, API keys, third-party credentials — in plain text. If it's sitting in your site's public web root, anyone who requests yoursite.com/.env can read every one of those secrets directly.

An exposed .env file reveals database credentials, API keys, and secret tokens — complete account compromise in seconds. This is one of the most common and catastrophic misconfigurations.

How to fix it

  1. 1
    Confirm whether it's actually exposed
    Visit https://yoursite.com/.env directly — if it downloads or displays content, this is urgent.
  2. 2
    Move it outside the public web root
    Your .env file should live OUTSIDE the folder your web server serves publicly — one level up, not inside /public or /www.
  3. 3
    Block it at the server level as a backup
    Add a rule denying access to any .env file, regardless of location — most web servers support this in a few lines of config.
  4. 4
    Rotate every secret that was exposed
    If the file WAS publicly accessible for any period, treat every credential in it as compromised — rotate database passwords and API keys, don't just fix the exposure.

Common mistakes

How you'll know it's done

https://yoursite.com/.env returns a 403 or 404, and every credential that was in the file has been rotated.

H.I.V.E. checks this automatically

Fix it, then re-scan — the check confirms itself. No manual checkbox, the scan is the truth.

Run this check in H.I.V.E. →