Be careful when using .env files
This file could be a source of a cyber breach
Not even within 24 hours, a recently launched website was being sniffed for secrets. A bot was searching for a .env
file where some projects store secrets. Fortunately, this website was protected by Cloudflare.
What can we learn from this?
The .env file should be treated as a potential source of a cyber breach. We should be cautious about what data we store there.
Should we put secrets in the .env
file?
No, when possible.
Where should we store and use secrets?
Store secrets in a secrets manager or database. Limit the use of secrets to the backend code (i.e., the code not used in the frontend web application code).
How can we protect the .env
file?
We should use a Web Application Firewall to stop external HTTP requests from reading this file. The file should only be read by the application code.
Before you go
These are other articles you might enjoy: