.env Information Leak

One or more .env files seems to have been located on the server. These files often expose infrastructure or administrative account credentials, API or APP keys, or other sensitive configuration information.

An accessible .env file typically contains database credentials, API keys, encryption secrets, and third-party service tokens in plaintext. An attacker who retrieves this file gains immediate access to backend systems, cloud services, and administrative interfaces without needing to exploit any other vulnerability. Because .env files are widely used across frameworks (Laravel, Node.js, Django, Ruby on Rails), automated scanners routinely probe for them.

Configure the web server to block access to dotfiles. In Apache, use <FilesMatch "^\.">Require all denied</FilesMatch>; in Nginx, use location ~ /\. { deny all; }. Ensure .env files are never deployed to the web root, and store secrets in environment variables or a dedicated secrets manager instead.