re: Please don't commit .env VIEW POST


What's more alarming about this is that there are still some others who have not reverted their commits.

Just to clarify for anyone reading, a git revert will not solve the problem: you'll still have the .env file visible in your public git history. If you've accidentally committed a secret, you need to remove that commit completely.

If you catch the problem immediately, you can do a git reset HEAD^ followed by git push -f. This deletes the most recent commit and overwrites the remote Git history. If you realize too late what you've done, you'll need a slightly more complicated method (see this useful blog post for pointers).

Of course, on the Internet this is all pretty optimistic; someone could have scraped your secrets while they were publicly visible, even if only for a handful of seconds. The only way to really get your security back is to go change all your secret keys and passwords.


Yup! That's true. If at any time you feel that you have been compromised, never hesitate to reset those keys and passwords. In fact, it should be the first thing you should do before messing up the commit history. The less time the API key is valid, the better it will be for everyone (except potential hijackers).


Not to mention that git push -f opens the door to all kinds of accidents.

code of conduct - report abuse