Your .env File Is Public: The #1 API Leak We Find

February 3, 2026 ยท 6 min read ยท ThreeStack Security Team

Every week, we run our free security scanner against hundreds of APIs. The #1 most dangerous finding isn't a missing header or weak CORS policy โ€” it's exposed sensitive files that should never be public.

๐Ÿ”ด Critical: An exposed .env file gives attackers your database credentials, API keys, and secrets โ€” often leading to full system compromise within minutes.

The Files That Should Never Be Public

Here are the sensitive paths we probe for in every scan, ranked by severity:

PathSeverityWhat It Exposes
/.envCRITICALDatabase credentials, API keys, JWT secrets
/.git/HEADCRITICALFull source code via git repository
/actuator/healthHIGHSpring Boot internals, environment vars
/debugHIGHDebug info, stack traces, memory dumps
/swagger-ui.htmlMEDIUMFull API documentation & endpoints
/api-docsMEDIUMOpenAPI/Swagger spec (JSON)
/server-statusMEDIUMApache server metrics & connections
/wp-json/wp/v2/usersMEDIUMWordPress user enumeration

Why This Happens

The root cause is almost always the same: deployment misconfiguration. Here's how it typically goes wrong:

1. The .env File Problem

Developers use .env files to store secrets during development. The file gets deployed to production, and the web server serves it as a static file because no rule blocks it.

# Typical .env file content โ€” now public to the world
DB_HOST=production-db.us-east-1.rds.amazonaws.com
DB_PASSWORD=s3cr3t_pr0d_p4ss!
STRIPE_SECRET_KEY=sk_live_51N...
JWT_SECRET=my-super-secret-jwt-key-2026
AWS_ACCESS_KEY_ID=AKIA...
AWS_SECRET_ACCESS_KEY=wJal...
Impact: With these credentials, an attacker can access your database, impersonate your payment processing, forge authentication tokens, and access your cloud infrastructure. Full compromise in under 5 minutes.

2. The Exposed Git Repository

When /.git/ is accessible, tools like GitTools can reconstruct your entire source code โ€” including commit history with old passwords.

# An attacker downloads your entire codebase:
$ git-dumper https://your-api.com/.git/ source/
[*] Downloading /.git/HEAD
[*] Downloading /.git/objects/...
[*] Reconstructing repository...
$ grep -r "password" source/
config/database.yml:  password: production_db_pass_2024

3. Debug Endpoints Left in Production

Spring Boot /actuator, Django /debug, and Express error handlers often expose environment variables, stack traces, and internal state in production.

How to Fix It

Nginx โ€” Block Sensitive Paths

# Add to your server block
location ~ /\. {
    deny all;
    return 404;
}

location ~ ^/(actuator|debug|server-status) {
    deny all;
    return 404;
}

Apache โ€” .htaccess Rules

# Block dotfiles
<FilesMatch "^\.">
    Order allow,deny
    Deny from all
</FilesMatch>

# Block sensitive paths
RedirectMatch 404 /actuator
RedirectMatch 404 /debug

Express.js โ€” Middleware

// Block sensitive paths before routes
app.use((req, res, next) => {
  const blocked = ['.env', '.git', 'actuator', 'debug'];
  if (blocked.some(p => req.path.includes(p))) {
    return res.status(404).send('Not found');
  }
  next();
});

Docker โ€” Exclude from Image

# .dockerignore
.env
.env.*
.git
.gitignore
debug/
*.log
โœ… Best Practice: Use environment variables injected at runtime (via Docker, Kubernetes secrets, or cloud provider config) instead of .env files in production. Never commit secrets to version control.

Our Scanner Catches This Automatically

Our free scanner (v1.3) now includes 8 probe-based checks that go beyond header analysis:

  1. Sensitive file detection โ€” probes for .env, .git, and 6 more paths
  2. Content validation โ€” distinguishes real files from catch-all responses (no false positives)
  3. GraphQL introspection โ€” checks if your schema is exposed
  4. CORS credential reflection โ€” tests if origins are unsafely reflected
  5. Error info disclosure โ€” checks if error pages leak stack traces
  6. Open redirect detection โ€” tests common redirect parameters
  7. security.txt & robots.txt analysis โ€” checks for security policy and sensitive path leaks
  8. HTTP method enumeration โ€” detects dangerous methods like TRACE

Total: 29 security checks in under 5 seconds. Free, no signup required.

Scan Your API Now

Find out if your .env, .git, or debug endpoints are exposed โ€” in 30 seconds.

Run Free Scan โ†’

What If You Find Exposed Files?

  1. Block access immediately โ€” update web server config
  2. Rotate ALL exposed credentials โ€” assume they've been compromised
  3. Check access logs โ€” look for requests to sensitive paths
  4. Audit your deployment pipeline โ€” prevent it from happening again
  5. Consider a full security audit โ€” if sensitive files were exposed, there may be deeper issues

Need help? Our comprehensive security audit covers OWASP API Top 10, business logic testing, and full endpoint analysis โ€” starting at โ‚ฌ3,500.

ThreeStack Security Team

We build security tools and help companies protect their APIs. Our scanner runs 29 automated checks and has analyzed thousands of endpoints.