Where Do I Store Secrets?
Secret information, such as passwords and API keys, must be stored securely. However, this information must also be easy to access and modify. One of the common ways to store such information is using configuration files. In the case of Node.js, a very popular approach is to use .env files. Their big advantage is that such files are loaded automatically and put into environment variables. This makes it very easy for developers to access them in the code.
Node.js developers often come from the world of the front end, where security considerations are quite different than at the back end. Therefore, it is no surprise that they often forget to double-check how securely secret information is stored. The key factor for them is often ease of access for the Node.js framework.
The Acunetix team conducted research to see, how often Node.js .env files are stored on the web server in locations that are accessible from the outside. The results were shocking. Just one simple Google query shows, how easily accessible .env files often are.
intitle:"index of" ".env"
Safeguard Yourself with Acunetix
The Acunetix web vulnerability scanner now features a check that helps you make sure that your developers are not exposing Node.js .env files to the public. Although not every .env file must contain confidential information, there is absolutely no reason to make them publicly accessible. If you find this to be the case, you can easily remediate by changing access rights.