Let's face it. .env files are amazing. They have an easy-to-read syntax that stores all of our essential configurations into one file. Not only that, they keep our deepest, darkest secrets as web developers. They make sure that our precious API keys and database passwords are kept locally, away from prying eyes. Having such a critical role in our code bases, we are constantly reminded by the community to never share our .env files; to treat them like how the government treats their confidential information.
This is especially enforced in the open-source community where everyone shares, copies, and reuses code with each other. Accidentally committing and pushing the .env file is considered by many as a relatable moment. Personally, I have never done it myself yet, but I'm sure my fate is sealed at this point.
As fun as it is to talk about "that one time you committed the goods" in a casual conversation between developers in a party, it is pretty alarming that it has become a common conversationβperhaps even a rite of passageβin web development.
A stain in the commit history
Running a quick search on GitHub reveals that there are still a number of people who didn't get the memo. The occasional add .env and remove .env commit titles appear every now and then in the search results. Looking into the content of the commits indeed shows their precious API keys and database passwords. It's honestly funny to see how they revert their changes like how a child becomes guilty of doing something they shouldn't have.
What's more alarming about this is that there are still some others who have not reverted their commits. The .env file is still alive and well in their repositories. For all we know, these might be real, actual API keys and database passwords they currently depend on in a regular basis. To make matters worse, sorting the search results by recently committed shows how common and frequent these commits are.
The problem with simply removing the .env file in the working tree is the fact that Git keeps a record of all the commits made in a repository, even the earliest ones. Unless clever tricks have been made (more on that later), committing that .env file will forever be a stain in the commit history. This is just what a version control system is supposed to do after all: keep a history of changes, even the bad ones.
Having said that, how does one handle sensitive data in a repository?
.gitignore is your best friend
Adding a .gitignore file to your repository is your first line of defense against these hiccups. Properly and explicitly specifying what files and directories to ignore is a surefire way of preventing sensitive data from ever reaching public repositories and prying eyes.
GitHub and gitignore.io provide general-purpose .gitignore templates for specific languages and environments. Most of the time, these templates are more than enough to suit your needs.
In the case of already having committed sensitive data in a repository, GitHub has a handy, and rather overkill, guide on how to purge a file from the commit history. "Overkill" is not a bad thing, though. One can never be too safe when it comes to security. π
We all make mistakes
We're all humans here. Nobody is perfect. Mistakes are just a part of life. In fact, it is probably one of the most important realities we have to face everyday. Without facing these mistakes, we can never become better developers. A huge part of learning isn't in the affirmation of success but in the recognition of the "whats" and "whys" of failure.
Sure, committing the .env file is a grave mistake. Sure, it will pose serious security risks in your app. Sure, the business will suffer significant losses. Sure, it will be a hassle to clean up the commit history. Sure, it will be hard to sleep at night knowing that you have been compromised. But if there's one good thing that comes out of this experience, it has to be the fact that you will come out as a better, more experienced developer in the end.
With that said, here's a toast to all the future projects that you will never commit the .env file to. Cheers! π₯ *clink* I shall conclude this article with a parting thought and a final reminder to you, the reader:
Please don't commit .env. You wouldn't want to end up at the top of GitHub's search results.
Oldest comments (76)
Thoughts on this?
Encrypt and check your secrets into git
david karapetyan
I agree with the post. It really comes down to resetting and revoking the validity of compromised API keys. Never mind messing up with the commit history; just leave it as is and reset those keys ASAP.
I looked into this for a project a while ago. I think it's an interesting solution for securely sharing secrets among people who are authorized to configure production servers.
But I also believe that those secrets shouldn't be shared across the entire team to avoid disaster mentioned in some of the anecdotes in this thread, specifically the one about the intern publishing production keys in an .env file. That intern and other devs shouldn't have ever access to those keys in the first place.
I feel that anyone who needs to have access to 3rd party API credentials for local development should just try to generate their own, by signing up developer accounts with those 3rd party web services and registering their own API clients.
It's overhead. But it only needs to be done once and makes absolutely sure that a leak of such credentials is not going to cause any major issues.
In case there is no easy way to sign up yourself (e.g. payment processor APIs) an encrypted store via Git like that makes sense for sharing sandbox environment credentials.
Ideally I believe that .env files and similar configuration files that contain confidential production credentials should be stored in the (encrypted) storage of the CI server and only bundled on build & deploy. A single source of truth, and a single possible point of failure.
vim ~/.gitignoreDo not think you will not make a mistake, be proactive and presume you will, we are only humans.
Edit: this will prevent adding to your project your IDE config files, environment and private keys
Awesome, just did this in all my repos.
We're glad to hear that!
Cheers! π₯ *clink*
Best and most useful solution. prevention before cure.
That's pretty dangerous advice because it depends on how you configure your application.
I personally commit
.envfiles because they don't contain sensitive information and typically having settings important to being able to start up my app in development. I have a feeling just about anyone using Docker Compose would also commit.envfiles too since it's used for setting your project name.I reserve
.env.prodor other environment specific files for sensitive API keys and other things I wouldn't want to commit.It is not dangerous and also .env.prod is very specific.
You can always commit the files from gitignore, but you have to do it explicitly, so you avoid mistakes
--force.I just mean putting it into your main
.gitignorefile is dangerous because you run the risk of not committing essential settings to make your project work if it depends on.envbeing around.Using
--forceevery time they want to add a file isn't a viable solution IMO. That's a command you might run 50 times a day.In other words, you should add
.envon a per project basis when your project may have.envfiles that contain sensitive info, just like you would want to ignore any other files that have sensitive data.You shouldn't ignore the idea folder. you're supposed to commit almost all of it to the repo.
intellij-support.jetbrains.com/hc/...
rider-support.jetbrains.com/hc/en-...
Nope, thats what they say but is it a bad practice.
Each env had its own tweaks and sometimes diffenrent platforms, tasks, settings and folders. Each dev should have the liberty of using its own IDE in their own productive way.
Ah yes, let's not use the tool as instructed. That will go great.
Yeah, and they tell you exactly which things to exclude in order to get that.
You should include the idea folder. End of story.
No, sorry.
Do some research on the topic you will see that many other developers share my opinion. Do not blindly trust the IDE creators, for them is a business, for you is just a tool.
IDE's are local tools, they are not related to the project. A big project then will have
.vim
.idea
.eclipse
.atom
.vscode
folders. Where did you saw that?
You can also browse popular open source projects source code and see that most of them do not have IDE config files.
That's because devs want "clean" repos, but there is a JetBrains template, which will ignore USER settings, but you should still commit PROJECT setttings, as not all settings can be read from
.editorconfigor linting etc.... This will help other devs that uses that IDE to not waste time on configuring the IDE to get auto-format correct etc... Also VSCode has files that should be committed.Just to clarify for anyone reading, a
git revertwill not solve the problem: you'll still have the.envfile visible in your public git history. If you've accidentally committed a secret, you need to remove that commit completely.If you catch the problem immediately, you can do a
git reset HEAD^followed bygit push -f. This deletes the most recent commit and overwrites the remote Git history. If you realize too late what you've done, you'll need a slightly more complicated method (see this useful blog post for pointers).Of course, on the Internet this is all pretty optimistic; someone could have scraped your secrets while they were publicly visible, even if only for a handful of seconds. The only way to really get your security back is to go change all your secret keys and passwords.
Not to mention that
git push -fopens the door to all kinds of accidents.Yup! That's true. If at any time you feel that you have been compromised, never hesitate to reset those keys and passwords. In fact, it should be the first thing you should do before messing up the commit history. The less time the API key is valid, the better it will be for everyone (except potential hijackers).
110% this. Thank you for sharing Some Dood. And nice GitHub search results to boot! :)
Thank you! I appreciate it. On the note of the GitHub search results, I was really disturbed by how many commits are being made with a similar title. I just felt the need to write about it as a PSA and a friendly reminder to all that they shouldn't commit the
.envfile unless it's there for a justifiable reason, such as the case with @buphmin .I agree 100% in any real project.
That said I have a repo on github right now, symfony4-impressions, that I explicitly intended to commit the .env and give to people. In this case I wanted people to have the foobar password for the docker mysql container so they can easily run the performance benchmarks to see for themselves if they wanted.
I agree 100% in any real project.
That said I have a repo on github right now, symfony4-impressions, that I explicitly intended to commit the .env and give to people. In this case I wanted people to have the foobar password for the docker mysql container so they can easily run the performance benchmarks to see for themselves if they wanted.
I add on
~/.gitignore_global. π£π£That's good and all, but as @matthias mentioned, it's still important to add them to your repositories because other people will also work on them. They might not have configured their global
.gitignorelike you have, which might cause them to accidentally commit the.envfile.Itβs a good idea to put such things into your global
.gitignore.But keep in mind that you mostly work in projects with other people, so you have to put those things into your repositories
.gitignoretoo, to avoid that your co-workers commit secrets.oh thank you. :) I care this.
If .env files are so popular, git should warn before such file is commited. Writing a validation could help millions of developers
Now that you mentioned it, I'm surprised that it hasn't been implemented yet.
I see no point in the general advice, not to commit a
.env-file per se: I do it frequently and wondered what this post is about.It is not about committing a standard configuration in your repo, which could be overriden e.g. by a
.env.local. It is about not storing secrets in your repository. That's another topic and indeed best practice.So my usage of
.envseems to differ: providing a sane default configuration, which can and should be overridden and does not contain any secrets whatsoever.For managing secrets in a repo there is an interesting approach by stackoverflow: github.com/StackExchange/blackbox
which unfortunately I had not the time trying, but looks interesting.
Yes, it's definitely okay to commit the
.envfile if and only if they contain general and not-so-sensitive information. Otherwise, the point of this article is to remind people that they should think twice before they commit.envfiles because of the serious ramifications that come with it.The only thing I don't like about doing this is that when I change the defaults, they now show up as a diff. On some of my smaller projects I SSH onto the server and just pull the latest changes, so if I've made a change to my default
.envfile I have to worry about conflicts. I can avoid this problem in production by having the defaults be my production settings, but then I constantly have a dirty file in development.The best solution to this in my opinion is to not commit
.envand instead commit a.env.example. Then all you have to do iscp .env.example .envand you have the exact same things as before but without a dirty file when you change settings.Hmmm. Interesting. I came into first contact with .env files via vuejs. It seems there, that you have a .env file which acts like your ".env.example" and could have a .env.local which contains overrides.
But doing some research that seems an uncommon practice π€
Mostly there is one .env and it isn't committed.
Oh, no. That's just really unfortunate. Do they still remind you to this day or did they terminate the service?
Wow. It makes me wonder what the hijacker did to rack up a bill of $600.
I faced the same issue because of our intern. He published
.envfile for everyone on the internet.The
.envfile contains mail, google cloud and bank API keys. It was really terrible.How did you guys manage the situation? Did everyone scramble to reset the API keys while others scrambled to clean up the working tree and commit history?
I regenerate the mail and bank API keys. I also bank added IP limit to bank API portal.
Our lead was so angry. I created a script to remove critical commit histories before we faced this situation (about 2 years ago). I ran that shell script.
But it was so dangerous. Normally we don't have published repositories.
I can say this was our fault.
I take it that the intern didn't stay there for long...
is it ok to commit on private repos?
Yes, it could be okay to commit there. At least it's not public. As long as you really trust the cloud service hosting your repository, then it should be fine. No guarantees, though. It's a risk you take when you put something in the internet.
Thank you for the tip on how to get my projects to the top of the search results...
There's sooooooo... many unaware user be out there , anybody can literally bring their whole business to an end! π
I tried to talk with some of them and make them aware, but got no response for months..π
Seems like they're like,
You could always show them a demo of the amount of damage you can do if you had access to that "small"
.envfile. I'm sure they'll be alarmed after that.Will Do.
I've seen many juicy leaks there such as Google Cloud Platform Keys , Facebook Credentials , GitHub Credentials and even someone's phone number π
Hack responsibly! π
Just Proof-Of-Concept π
Be very careful when doing this as some wildly misguided company may accuse you of hacking and try and prosecute.
I'm sure he'll be informing them about the demo beforehand. π
@somedood , Yes Yes!
How typical of them. Hays... π€¦ββοΈ