What should I do if I accidentally commit .env to Git?
Rotate ALL secrets immediately (they are compromised). Remove .env from Git with git rm --cached .env. Add .env to .gitignore. Generate new secrets for everything (JWT, database password, API keys). Commit the fix. Consider using git filter-branch to remove from history.
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in Securing Credentials in Node.js Best Practices for API Keys, Secrets, and Passwords
Use .env files (never commit to Git), generate strong random secrets (crypto.randomBytes), use AWS Secrets Manager for production, use IAM roles on EC2 instead of access keys, use different secrets per environment, never log secrets, and rotate keys regularly.
A managed service that stores, encrypts, and rotates secrets. Store your database URI, JWT secret, API keys as a JSON secret. Retrieve with the AWS SDK. Costs $0.40 per secret/month. Provides automatic rotation, audit trail, and IAM integration.
Create an IAM role with the needed permissions (SES, S3, etc.), attach the role to your EC2 instance. The AWS SDK automatically uses the role's temporary credentials. No access keys in .env, automatic rotation, and least privilege.
Still have questions?
Browse all our FAQs or reach out to our support team
