Be careful when using .env files

This file could be a source of a cyber breach

--

Screen capture of a web firewall event

Not even within 24 hours, a recently launched website was being sniffed for secrets. A bot was searching for a .env file where some projects store secrets. Fortunately, this website was protected by Cloudflare.

What can we learn from this?

The .env file should be treated as a potential source of a cyber breach. We should be cautious about what data we store there.

Should we put secrets in the .env file?

No, when possible.

Where should we store and use secrets?

Store secrets in a secrets manager or database. Limit the use of secrets to the backend code (i.e., the code not used in the frontend web application code).

How can we protect the .env file?

We should use a Web Application Firewall to stop external HTTP requests from reading this file. The file should only be read by the application code.

Before you go

These are other articles you might enjoy:

--

--

Miguel A. Calles · Serverless CISO

Author of "Serverless Security" · Specializing in CMMC, SOC 2, serverless & engineering.