Stop putting secrets in .env files committed to git

This is the most common security mistake in modern web development. Developers create a .env file, put secrets in it, commit it, then add it to .gitignore. The .gitignore entry removes it from future commits but doesn't remove it from history.

Check your own repo

git log --all --full-history -- .env
git show <commit-hash>:.env

If that returns output, your secrets were committed. Anyone who clones the repo — now or in the future — can retrieve them.

The tools attackers use

truffleHog and git-secrets are purpose-built for this. They scan git history for entropy patterns that look like API keys. They're free, fast, and run on CI.

What to do right now

If you've committed secrets:

1. Rotate every key that was exposed — assume it's compromised
2. Remove the history with git filter-repo or BFG Repo Cleaner
3. Force push to all remotes
4. Check if any forks exist — they may still have the old history

Going forward: use a secrets manager (Vercel env vars, Doppler, AWS Secrets Manager) instead of .env files. Never commit a .env file. Add .env* to your global gitignore.