Pricing
Log in Sign up →
Back to blog

Building

Your .env file isn't safe
from your AI assistant

Your AI coding assistant can read your credentials right now through paths you haven't thought about. Here's how to check and what to do about it.

May 11, 2026 6 min read
.env AI Security Credentials MCP
Written for: (select one)

What is .env file security?

A .env file is a plain-text configuration file that stores environment variables for a software project, typically containing API keys, database connection strings, OAuth secrets, and cloud provider credentials. .env file security refers to the practices and tools used to prevent these secrets from being exposed. Traditionally, .env security focused on keeping secrets out of git commits using .gitignore. With AI coding assistants, the threat model has expanded: tools like Copilot, Cursor, and Claude Code read project files directly from disk, meaning .env contents can be sent to cloud APIs even if the file is never committed. There are at least five distinct access paths AI tools use to reach your credentials, and most developers only protect against one of them.

A .env file is a plain-text file in your project folder that stores passwords, API keys, database addresses, and other secrets your app needs to run. .env file security means keeping those secrets from leaking. The old advice was simple: add .env to your .gitignore so it never gets uploaded to version control. But AI coding tools have changed the game. Tools like Copilot, Cursor, and Claude Code read files straight from your project folder, which means your secrets can be sent to cloud servers even if you never upload the file. There are at least five ways AI tools can reach your credentials, and most people only protect against one of them.

A .env file is a plain-text configuration file that stores environment variables for a software project -- typically API keys, database connection strings, OAuth secrets, and cloud provider credentials. .env file security refers to the practices and tooling used to prevent these secrets from leaking beyond their intended trust boundary. Traditionally, that meant keeping secrets out of git commits via .gitignore. With AI coding assistants, the threat model has expanded: tools like Copilot, Cursor, and Claude Code read project files directly from disk, which means .env contents can be sent to cloud APIs at inference time even if the file is never committed. There are at least five distinct access paths AI tools use to reach your credentials, and most developers only guard against one of them.

Your AI coding assistant can probably read your .env file right now. And your AWS credentials. And your MCP server configs with API keys hardcoded in plain text. Here is how to check.

Most developers know not to commit secrets to git. That is table stakes. But committed secrets are only one of five ways your AI assistant can access your credentials. The other four are paths most developers have not thought about.

Your AI coding tool can probably read your .env file right now. And your AWS credentials. And your MCP server configs with API keys sitting in plain text. Here is how to check.

Most people who build with AI know not to upload secrets to version control. That is the bare minimum. But uploaded secrets are only one of five ways your AI tool can access your credentials. The other four are paths nobody thinks about.

Your AI coding assistant can probably read your .env file right now. And your AWS credentials. And your MCP server configs with API keys hardcoded in plain text. Here is how to check.

Most developers know not to commit secrets to git. That is table stakes -- the one access path everyone covers. But committed secrets are only one of five ways your AI assistant can reach your credentials. The other four are tool-use surfaces most developers have never audited.

5
Leak paths
24K+
Devs exposed (2026)
6
AI tools tested
0
Existing scanners cover all paths

The five-second test

Open your AI coding assistant. Ask it: "What's in my .env file?" If it shows you your credentials, you have an exposure. That is path one.

~/project · .env
$ cat .env
STRIPE_SECRET_KEY=sk_live_EXAMPLE_KEY_REDACTED
DATABASE_URL=postgresql://admin:s3cret@db.example.com:5432/prod
AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Explorer
📁 my-saas-app
📄 package.json
📄 index.ts
📁 src/
📄 .gitignore
⚠ .env
⚠ Secrets inside
This file has your Stripe key, database password, and API keys. Your AI tool can read it.
📄 tsconfig.json
📄 README.md
Credential surfaces reachable at inference time
AGENT CONTEXT
File System Access
.envUNSCOPED
.aws/credentialsUNSCOPED
mcp.jsonUNSCOPED
Runtime Environment
env varsUNSCOPED
Tool Outputs
cmd resultsUNSCOPED

Now ask it to run printenv. If your API keys appear in the output, that is path two: runtime output. The credentials are not in any file the AI reads directly, but they are in the command output that enters the AI's context.

~ · terminal
$ printenv | grep -i key
STRIPE_SECRET_KEY=sk_live_EXAMPLE_KEY_REDACTED
AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
OPENAI_API_KEY=sk-proj-abc123def456...
AI Assistant Chat
AI ASSISTANT
I found these in your environment:
STRIPE_SECRET_KEY=sk_live_51Hx...a8Qk
DATABASE_URL=postgres://admin:r3alPa$$@db.host.com
OPENAI_API_KEY=sk-proj-9xK...mW2
AWS_SECRET_KEY=wJalrXUtnFE...EXAMPLEKEY
⚠ These real credentials were sent to the AI provider's cloud servers
Context Window Leakage
Secrets enter the context through tool-call results, not file reads.
Agent Prompt
Tool Call: exec(printenv)
Tool Result -- secrets visible
STRIPE_KEY=sk_live_4eC39HqL...
DATABASE_URL=postgres://admin:p@ss...
AWS_SECRET=wJalrXUtnFEMI/K7...
Sent to API -- secrets now in provider context

Check your MCP server config files. Open them. Are there API keys hardcoded in the JSON? That is path four. GitGuardian's 2026 State of Secrets Report found 24,000+ developers with this exact exposure.

~/.cursor · mcp.json
// ~/.cursor/mcp.json
{
  "servers": {
    "postgres": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-postgres",
               "postgresql://admin:s3cret@db.example.com:5432/prod"]
    }
  }
}
⚙ MCP Server Settings
{
"mcpServers": {
"supabase": {
"command": "npx",
"env": {
"DB_PASSWORD": "hunter2real"
}
}
}
}
This config file is often committed to version control or shared in project templates.
Trust Boundary Violation in MCP Config
Central Config
mcp.json -- all credentials in one file
▼ ▼ ▼
Server A
database
Has: DB_URL, API_KEY, MON_TOKEN
Server B
api
Has: DB_URL, API_KEY, MON_TOKEN
Server C
monitoring
Has: DB_URL, API_KEY, MON_TOKEN
Unscoped capability grant -- every server sees every secret
#Leak PathHow It WorksExisting Scanners
1Direct file readAI reads .env, .aws/credentials, config filesNone
2Runtime outputprintenv, debug logs, error messages with credentialsNone
3File searchAI searches project tree, finds credential filesNone
4MCP configAPI keys hardcoded in MCP server JSON configsNone
5Git historyPreviously committed secrets still in reflogGitGuardian, TruffleHog

Why your current tools miss this

GitGuardian and TruffleHog are excellent at what they do: scanning git history for committed secrets. But they were built before AI coding assistants existed. They do not scan your AI tool's access surface because that attack surface did not exist when they were designed.

Your AI assistant can access secrets through file reads, command execution, file search, and MCP configs. None of these paths involve committing anything to git. Your git-focused secret scanner sees nothing.

Git secret scanning catches committed secrets. AI assistants can access your credentials without committing anything. Four exposure paths are invisible to existing tools.

GitGuardian and TruffleHog are great at what they do: scanning your version control history for secrets that were accidentally uploaded. But they were built before AI coding tools existed. They do not check whether your AI tool can reach your secrets, because that risk did not exist when they were designed.

Your AI tool can access secrets by reading files, running commands, searching your project folder, and pulling from MCP server configs. None of these require uploading anything to version control. Your secret scanner never sees it happen.

Version control scanners catch uploaded secrets. AI coding tools can access your credentials without uploading anything. Four exposure paths are invisible to existing scanners.

GitGuardian and TruffleHog are excellent at what they do: scanning git history for committed secrets. But they were built before AI coding assistants widened the capability envelope. They do not scan your AI tool's access surface because that surface did not exist when they were designed.

Your AI assistant can reach secrets through file reads, command execution, file search, and MCP server configs -- none of which involve committing anything to git. Every one of these paths operates outside the permission scope of a git-focused secret scanner. It sees nothing.

Git secret scanning catches committed secrets. AI assistants can access your credentials without committing anything. Four exposure paths sit entirely outside the governance layer of existing tools.

GitGuardian's 2026 State of Secrets Report found 24,000+ developers with MCP configs containing hardcoded API keys. These credentials are readable by any AI tool with file access. Existing secret scanners don't flag them because MCP configs aren't in git history.

What to do about it

First, add deny rules. If you use Claude Code, add patterns to .claude/settings.json that block access to .env files, credential stores, and sensitive config paths. Other AI tools have similar permission mechanisms.

First, add deny rules. If you use Claude Code, add patterns to .claude/settings.json that block access to .env files, credential stores, and sensitive config paths. Other AI tools have similar permission settings.

First, add deny rules to restrict the tool-use surface. If you use Claude Code, add patterns to .claude/settings.json that block access to .env files, credential stores, and sensitive config paths. Other AI tools have similar permission scope mechanisms -- the goal is least-privilege agent access at tool-call time.

~/.claude · settings.json
// .claude/settings.json
{
  "deny": [
    "Read(.env*)",
    "Read(.aws/**)",
    "Read(**/credentials*)",
    "Read(**/*.pem)",
    "Read(**/*.key)",
    "Bash(printenv*)",
    "Bash(env | *)"
  ]
}
🛡 Protection Settings
Blocked File Patterns
.env filesBLOCKED
AWS credentials (~/.aws/)BLOCKED
SSH keys (~/.ssh/)BLOCKED
Certificate files (*.pem, *.key)BLOCKED
Keychain / credential storesBLOCKED
Least-privilege agent access at tool-call time
Agent Context -- tool call: read(.env)
Governance Layer
DENY: .env*BLOCKED
DENY: .aws/**BLOCKED
DENY: *.pemBLOCKED
Credential Surfaces -- unreachable

Test your deny rules. After adding them, ask your AI assistant to read a blocked file. If it can, your rules aren't working. Manual configuration is fragile -- one typo means one open door.

Second, generate sanitized test configurations. You need to test your integrations without using real credentials. Create .env.example files with placeholder values and ensure your AI assistant uses those instead of real credentials.

Second, create safe test versions of your secrets. You need to test your integrations without using real credentials. Create .env.example files with placeholder values and make sure your AI tool uses those instead of the real ones.

Second, generate sanitized test configurations. You need to validate integrations without exposing real credentials inside the agent context. Create .env.example files with placeholder values and ensure your AI assistant operates against those instead of production secrets.

The real fix

Manual deny rules work but they are fragile. You add a new tool, a new MCP server, a new credential file, and the rules need updating. One typo in a glob pattern and a path stays open. Scale that across a team and it falls apart.

What an automated scanner needs

A real solution would need to scan every AI coding tool on the machine, check all four non-git leak paths, and generate the fix files automatically -- deny rules, sanitized configs, pre-commit hooks. Not just flag the problem. Fix it.

That's what devsafe diagnose does. Free. Runs locally. No data leaves your machine.

Manual deny rules work, but they break easily. You add a new tool, a new MCP server, a new credential file, and the rules need updating. One typo in a pattern and a path stays open. Try to keep that consistent across a team and it falls apart.

What an automated scanner needs

A real fix would need to scan every AI coding tool on your machine, check all four non-upload leak paths, and generate the protective files automatically -- deny rules, safe test configs, pre-upload hooks. Not just flag the problem. Fix it.

That is what devsafe diagnose does. Free. Runs on your machine. No data leaves your computer.

Manual deny rules work, but they drift. You add a new tool, a new MCP server, a new credential file, and the rules need updating. One typo in a glob pattern and a path stays open. Scale that across a team and the governance layer falls apart.

What an automated scanner needs

A real solution needs to scan every AI coding tool on the machine, audit all four non-git leak paths, and generate the fix files automatically -- deny rules, sanitized configs, pre-commit hooks. Not just flag the exposure. Close it.

That is what devsafe diagnose does. Free. Runs locally. No data leaves your machine.

~ · devsafe diagnose
$ devsafe diagnose

Scanning AI tool access surfaces...

  Claude Code    ~/.claude/settings.json     3 paths exposed
  Cursor         ~/.cursor/mcp.json          2 API keys in config
  VS Code        .vscode/settings.json       clean

5 exposures found.

Generating fixes...
  ✓ .claude/settings.json    deny rules written
  ✓ .env.example             sanitized config created
  ✓ .gitignore               patterns added
  ✓ .pre-commit-config.yaml  secret hook added

Done. Paste the deny rules into your project.
📊 DevSafe Security Scan
3
AI Tools Scanned
5
Secrets Exposed
4
Files Protected
4
Fixes Generated
Claude Code3 EXPOSED
Cursor2 EXPOSED
VS Code CopilotCLEAN
Capability Audit Report
$ devsafe diagnose --all-tools
ToolSurfacesViolationsPolicy
Claude Code32deny rules
Cursor21.cursorignore
VS Code20clean
6
AI tools scanned
4
Leak paths checked
Auto
Fix generation
$0
Cost
Where Your Secrets Travel
📁 Your
Project
📄 .env
file
EXPOSED
🤖 AI Tool
reads it
☁ Sent to
cloud API
📁 Your
Project
📄 .env
file
BLOCKED
🛡 DevSafe
blocks it
🤖 AI gets
placeholder
Trust Boundary Architecture
Current State -- no governance
Principal
developer
Agent
claude code
Tool Layer
read, exec, mcp
Credentials
no boundary
Governed State -- DevSafe inserted
Principal
developer
Agent
claude code
Tool Layer
read, exec, mcp
DevSafe
governance
Credentials
scoped access

Read the full research: Five Paths Your AI Coding Assistant Can Leak Your Secrets documents all five exposure paths with evidence from GitGuardian's 2026 report and real-world examples.

Frequently asked questions

How do I check if my AI assistant can read my .env file?

Open your AI coding assistant in a project that has a .env file and ask it: 'What is in my .env file?' If it returns your secrets, it has access. You can also run 'devsafe diagnose' to scan for all five access paths AI tools use to reach your credentials.

What are the five ways AI assistants access .env secrets?

AI assistants can access your secrets through five paths: direct file reads from the project directory, shell command execution (like cat .env), MCP server configs with hardcoded credentials, context inheritance from parent directories, and git history if .env was ever committed. Most developers only protect against the last one.

Why does .cursorignore not fully protect my .env file?

Tool-specific ignore files like .cursorignore and .claudeignore are documented as best-effort, not guaranteed. The AI assistant can still access ignored files through shell commands, MCP tool calls, or direct path references. These ignore files reduce accidental reads but do not provide a security boundary.

All posts

English is my second language, and I am deaf. I use AI tools to help organize ideas and communicate clearly. Everything you read here reflects my own thinking, experience, and perspective. AI helps me bridge communication barriers so I can focus on sharing ideas rather than struggling with language mechanics.

This page carries a verifiable publication receipt.
Verify
Published
Signed by devsafe.com
Content Hash aadd3d8b1fc2f88ac440e6dfce8eef6a294183980352339f206071146456f8fb
Algorithm SHA-256 + Ed25519
Timestamp 2026-06-15T23:17:23.333Z
TSA Co-sign FreeTSA.org
Raw Receipt JSON
{
  "version": 1,
  "type": "publication-receipt",
  "url": "https://devsafe.com/blog/env-not-safe",
  "contentHash": "sha256:aadd3d8b1fc2f88ac440e6dfce8eef6a294183980352339f206071146456f8fb",
  "timestamp": "2026-06-15T23:17:23.333Z",
  "signedBy": "devsafe.com",
  "publicKey": "https://devsafe.com/.well-known/publication-receipt-key.json",
  "signature": "ed25519:m37mppalctp/pomv/p1Lzf1/M69AiE1KccG0ROEfcnnEcy0gephcoiYT7VmLNicoXr/sMDm9Uf3fxsNEQ5W0DA==",
  "tsaCosignature": {
    "tsr": "MIISFTADAgEAMIISDAYJKoZIhvcNAQcCoIIR/TCCEfkCAQMxDzANBglghkgBZQMEAgMFADCCAYYGCyqGSIb3DQEJEAEEoIIBdQSCAXEwggFtAgEBBgQqAwQBMDEwDQYJYIZIAWUDBAIBBQAEIKrdPYsfwviKxEDm386O72opQYOYA1IznyBgcRRkVvj7AgQFoo/SGA8yMDI2MDYxNTIzMTcyM1oBAf+gggETpIIBDzCCAQsxETAPBgNVBAoMCEZyZWUgVFNBMQwwCgYDVQQLDANUU0ExdjB0BgNVBA0MbVRoaXMgY2VydGlmaWNhdGUgZGlnaXRhbGx5IHNpZ25zIGRvY3VtZW50cyBhbmQgdGltZSBzdGFtcCByZXF1ZXN0cyBtYWRlIHVzaW5nIHRoZSBmcmVldHNhLm9yZyBvbmxpbmUgc2VydmljZXMxGDAWBgNVBAMMD3d3dy5mcmVldHNhLm9yZzEkMCIGCSqGSIb3DQEJARYVYnVzaWxlemFzQG1haWxib3gub3JnMRIwEAYDVQQHDAlXdWVyemJ1cmcxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZCYXllcm6ggg5nMIIGYDCCBEigAwIBAgIJAMLphhYNqOnNMA0GCSqGSIb3DQEBDQUAMIGVMREwDwYDVQQKEwhGcmVlIFRTQTEQMA4GA1UECxMHUm9vdCBDQTEYMBYGA1UEAxMPd3d3LmZyZWV0c2Eub3JnMSIwIAYJKoZIhvcNAQkBFhNidXNpbGV6YXNAZ21haWwuY29tMRIwEAYDVQQHEwlXdWVyemJ1cmcxDzANBgNVBAgTBkJheWVybjELMAkGA1UEBhMCREUwHhcNMjYwMjE1MTk0NDIyWhcNNDAwMjAyMTk0NDIyWjCCAQsxETAPBgNVBAoMCEZyZWUgVFNBMQwwCgYDVQQLDANUU0ExdjB0BgNVBA0MbVRoaXMgY2VydGlmaWNhdGUgZGlnaXRhbGx5IHNpZ25zIGRvY3VtZW50cyBhbmQgdGltZSBzdGFtcCByZXF1ZXN0cyBtYWRlIHVzaW5nIHRoZSBmcmVldHNhLm9yZyBvbmxpbmUgc2VydmljZXMxGDAWBgNVBAMMD3d3dy5mcmVldHNhLm9yZzEkMCIGCSqGSIb3DQEJARYVYnVzaWxlemFzQG1haWxib3gub3JnMRIwEAYDVQQHDAlXdWVyemJ1cmcxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZCYXllcm4wdjAQBgcqhkjOPQIBBgUrgQQAIgNiAASiFeGhstbLhxix0o4UAumNSwHUUlOe3DBvs8fYs580wADW59oqGSCx15bp61TSmXkwLm1JW48XnbLLizP6ZtjcvshV3H9uz2bS53sgDXhg1wLbIhAtraC+fHCytHeuVaujggHmMIIB4jAJBgNVHRMEAjAAMB0GA1UdDgQWBBQVwL0m69RdgtFdkyYxL+9wsotGXjAfBgNVHSMEGDAWgBT6VQ2MNGZRQ0z357OnbJWveuaklzALBgNVHQ8EBAMCBsAwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwgwbAYIKwYBBQUHAQEEYDBeMDMGCCsGAQUFBzAChidodHRwOi8vd3d3LmZyZWV0c2Eub3JnL2ZpbGVzL2NhY2VydC5wZW0wJwYIKwYBBQUHMAGGG2h0dHA6Ly93d3cuZnJlZXRzYS5vcmc6MjU2MDA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vd3d3LmZyZWV0c2Eub3JnL2NybC9yb290X2NhLmNybDCByAYDVR0gBIHAMIG9MIG6BgMrBQgwgbIwMwYIKwYBBQUHAgEWJ2h0dHA6Ly93d3cuZnJlZXRzYS5vcmcvZnJlZXRzYV9jcHMuaHRtbDAyBggrBgEFBQcCARYmaHR0cDovL3d3dy5mcmVldHNhLm9yZy9mcmVldHNhX2Nwcy5wZGYwRwYIKwYBBQUHAgIwOxo5RnJlZVRTQSB0cnVzdGVkIHRpbWVzdGFtcGluZyBTb2Z0d2FyZSBhcyBhIFNlcnZpY2UgKFNhYVMpMA0GCSqGSIb3DQEBDQUAA4ICAQBrMVS/YfnfMr0ziZnesBUOrDNRrNNgt3IgMNDwNhwl6oKWHVIhlYnM/5boljfbpZTAbqvxHI3ztT0/swxQOqTat5qBJRAY/VH1n/T4M9uDjSuu3qfh0ZH5PL9ENqoVW44i5NT/znQev2MGXOAHwz9kZwwzz9MFX6hbGhBqWa+nlAqb7Y72KFzj33m1OVHxV2Wl4YD9f91bZTFpUEGW4Ktbkmxpf/iGIPaf4WHpoBW/O6EzofMKYlz4yXyEBh0wRRVyXltLrj+MFHqhe+PsMBllq/dCaO4W/F+AuHElu7aUYWMASelphWAJiUsNMr5HAoeCSSgilqf1CSoWC+k6e4334Fym+Iy4csMex+PG4rSdqXJVQ+AWEdRajSPKh7yDfpNkdnO6yqQJ/tSd11XQ5cL0M9jWuCD1zHlgA+u+R2cry3yo23jD7qTGLhZqUvXCyWigH30/Q/RXjjDwrc4DJiQ+gRY0FhdTYqlvgMBPr4LcJKnNksivdj+kbz7bVSbrBAzRiazK9l841/5XMtP9BvD0hKCpQFvP9PSgCC8EQnKqgSe26FSJBaAQcA5TnK8NF4jkbElBxf/zyh7P3IjHso35jtgUWD1/itg9BJWbYUwJ4tfILpB2F0wbk1GcZDCDZoyW3Xf3trApz/Zd93gF3joc9Hh9RFveKRzWQ7ddUt3egTCCB/8wggXnoAMCAQICCQDB6YYWDajpgDANBgkqhkiG9w0BAQ0FADCBlTERMA8GA1UEChMIRnJlZSBUU0ExEDAOBgNVBAsTB1Jvb3QgQ0ExGDAWBgNVBAMTD3d3dy5mcmVldHNhLm9yZzEiMCAGCSqGSIb3DQEJARYTYnVzaWxlemFzQGdtYWlsLmNvbTESMBAGA1UEBxMJV3VlcnpidXJnMQ8wDQYDVQQIEwZCYXllcm4xCzAJBgNVBAYTAkRFMB4XDTE2MDMxMzAxNTIxM1oXDTQxMDMwNzAxNTIxM1owgZUxETAPBgNVBAoTCEZyZWUgVFNBMRAwDgYDVQQLEwdSb290IENBMRgwFgYDVQQDEw93d3cuZnJlZXRzYS5vcmcxIjAgBgkqhkiG9w0BCQEWE2J1c2lsZXphc0BnbWFpbC5jb20xEjAQBgNVBAcTCVd1ZXJ6YnVyZzEPMA0GA1UECBMGQmF5ZXJuMQswCQYDVQQGEwJERTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALYCjg4wMvERENlkzalLnQJ44ZQq6ROqpZkHzaaXk5lb2ax+M7rZ/jcE2hwBqY0hr+P1kaWdcGdwUWeZj1AWci4KtGKyH0ORcdLPzEWT83Na95SlqzEfbAEMeJjeM9dcRRDudvS9HRSYzxfTA/BqXdn3lsxsqbZXpW/j6k/vvnzmtqGNPjWjDO5f8XDRzzmjM9P9qJZNIttoWynlYb6JDwqoRYc7LoSrJquDn/6PrenSO7MeYdJzzJuIBkkYX6vs+gU0YAq6kBthTi6FRYLeoiJvwZzX31K+1Q2Hd82ZiMBTo/x9wyh6BopP8StxPNmANmbpVThUVv84+AKYz2uThW6SJHdKZs8c3RHC+O/YUgPXRYslZksT7WOc3tT/gRPWzFNT0nKUc8PDBxV8ciqltd0L+y1sOLG5N0nIgexgAm0IlRs4JL1xusvORzrr1jbwuRi0osj/RpTwdFevLW8c+CVU0XcP15/10xTc0QTN3KvJQTgFbfzwF+frhXL9UvcBRPGI2gX1gj9Y3QYpfnOHvtLXcsE9qCZmAQRf5BLdcJhsDJh7pzRLkDc4dRbSWOeIW1H4lot/JgEhO8TLTIX4/wuEr2qYgzfN+4GGj37PMdymcW1+wt2ALBZyYp5cAFLLNX3Smq/EP2FbOx/51OHOCMccc+H+u33FajNiEynp7WwjAgMBAAGjggJOMIICSjAMBgNVHRMEBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQU+lUNjDRmUUNM9+ezp2yVr3rmpJcwgcoGA1UdIwSBwjCBv4AU+lUNjDRmUUNM9+ezp2yVr3rmpJehgZukgZgwgZUxETAPBgNVBAoTCEZyZWUgVFNBMRAwDgYDVQQLEwdSb290IENBMRgwFgYDVQQDEw93d3cuZnJlZXRzYS5vcmcxIjAgBgkqhkiG9w0BCQEWE2J1c2lsZXphc0BnbWFpbC5jb20xEjAQBgNVBAcTCVd1ZXJ6YnVyZzEPMA0GA1UECBMGQmF5ZXJuMQswCQYDVQQGEwJERYIJAMHphhYNqOmAMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly93d3cuZnJlZXRzYS5vcmcvcm9vdF9jYS5jcmwwgc8GA1UdIASBxzCBxDCBwQYKKwYBBAGB8iQBATCBsjAzBggrBgEFBQcCARYnaHR0cDovL3d3dy5mcmVldHNhLm9yZy9mcmVldHNhX2Nwcy5odG1sMDIGCCsGAQUFBwIBFiZodHRwOi8vd3d3LmZyZWV0c2Eub3JnL2ZyZWV0c2FfY3BzLnBkZjBHBggrBgEFBQcCAjA7GjlGcmVlVFNBIHRydXN0ZWQgdGltZXN0YW1waW5nIFNvZnR3YXJlIGFzIGEgU2VydmljZSAoU2FhUykwNwYIKwYBBQUHAQEEKzApMCcGCCsGAQUFBzABhhtodHRwOi8vd3d3LmZyZWV0c2Eub3JnOjI1NjAwDQYJKoZIhvcNAQENBQADggIBAGivfr+ThWLvTOs7WAvi+vbMNaJncpYvPZWQH6VjDIfQkZiYTOigajP4qcKC7Z8csRrGwj4XEI7k785vspTelcEzJiJVclUiymGXHUo7f3glDfuNSu7A+xlZsWQQBSC5wQ5kxiZi5K1NCrriKY/JSPxOmejZ5rj9vkQEEh7HwUIurLLJ1zKOBzluYLTzu4A61KVVyA/vtT+F53ZKCp+0r8OZ9M0vX79YcQXGCBzz0FM3trt9GwELdJ9IiMkS82lrobaQLXe338BGwEoMwexPjRheLaVd+3vCogNsYhkkak+Z3btvH4KTmPO4A9wK2Q3LWb70wnx3QEuZBDt4JxhnmRFSw5nxLL/ExiWtwJY1WuRONCEA7FF6UC4vBvlAuNQ1mbvBFU+K52GgsNVV+0oTkdTzQgr42/EvLX3bnXfc4VN4BAdK8XXk8tbVWzS11vfcvdMXMK9WSA1MDP8UP56DvBUYZtC6Dwu9xH/ieGQXa71sGrhd8yXt93eIm8RHG/P6c+VsxZHosWDNp7B4ah7ASsOyT6LijV0Z5eSABNXhZqg8guxv1U+zheuvcTOoW1LeRttSROHDSujTbnEvn84NST19Pt1YbGGY4+w+bpY0b0F6yfIh4K/zOo9qCx70wCNjC3atqo2RQzgl7MQcSaW5ixgcfaMOmXq5VMc8LNgFr9qZMYIB7DCCAegCAQEwgaMwgZUxETAPBgNVBAoTCEZyZWUgVFNBMRAwDgYDVQQLEwdSb290IENBMRgwFgYDVQQDEw93d3cuZnJlZXRzYS5vcmcxIjAgBgkqhkiG9w0BCQEWE2J1c2lsZXphc0BnbWFpbC5jb20xEjAQBgNVBAcTCVd1ZXJ6YnVyZzEPMA0GA1UECBMGQmF5ZXJuMQswCQYDVQQGEwJERQIJAMLphhYNqOnNMA0GCWCGSAFlAwQCAwUAoIG4MBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABBDAcBgkqhkiG9w0BCQUxDxcNMjYwNjE1MjMxNzIzWjArBgsqhkiG9w0BCRACDDEcMBowGDAWBBRIH9U8U004QYDAKGUZoDb5iFRHZjBPBgkqhkiG9w0BCQQxQgRAi07G3AgPWlLiJm+TRQ04JbwyUDkC1w0XOc7RsVl+WNIchCAhenwsCR0stCX/NEKCiy5/JShQDnNIiFb5JHjwLDAKBggqhkjOPQQDBARnMGUCMFaA2GJ9VBqm/ODbauLIeb8cVjE9m+vl74En2+nKLG6yT5KsbeJCaD1EbU5zN64SfwIxANhZaFyyUs8WJcXcbeEUD3MQ9NA/OQzntGu8KorFGFi35cVpYMGjFF8yk2qsiExOSw==",
    "tsaUrl": "https://freetsa.org/tsr",
    "requestedAt": "2026-06-15T23:17:23.398Z"
  }
}

Skip this step

No spam. Unsubscribe anytime.

Ask Voss

Answers sourced from this article only

I've read this entire post. Ask me anything about .env file security, where secrets leak, or how to protect your environment variables.
...

10 questions per session