Protect your .env!
[ web ]

This blog has been online for about 10 hours. To put it more harshly: I’m a nobody on the internet. Yet, when I generated my first visitor report with goaccess, I saw that the bot army has already started attacking my server. A lot of suspicious-looking URLs have been requested:

This is just a small sample but it is obvious that they are trying to exploit known vulnerabilities. These are absolutely harmless because this is a static website but there was one request that caught my attention:

/.env

My static site doesn’t have a .env file but I work on a lot of projects that have one. I of course know that exposing the .env file is a mistake – it usually contains passwords, keys and other sensitive information and in a production environment, these should be in environment variables – but it is very scary to see that this is among the first things hackers try – because it’s so easy to accidentally copy it into a public directory.

So please, everyone: protect your .env!