Free .env file exposure checker
A publicly downloadable .env file hands attackers every secret your app has — database URLs, API keys, tokens. Default deployments on some AI platforms leave these reachable.
Free · no signup · we never store your source code
- We prove vulnerabilities by reproducing them — not guesses
- Tamper-evident record of what your AI agents do
- We never store your source code
What the agent checks
- Publicly downloadable .env
- Exposed .git directory
- Other sensitive config and backup files
- Stack and framework disclosure
Ask the agent — FAQ
How do I check if my .env file is public?
Paste your app's URL and tell Opviva to check it — the agent requests common sensitive paths on your live app and reports anything publicly downloadable.
What happens if my .env is exposed?
Anyone can download every secret in it — database credentials, API keys, tokens — and take over your services. It must be removed from the public path immediately.
Can Opviva fix an exposed .env?
Yes — once the agent proves it's reachable, it opens a reviewed pull request that removes the file from the public path and rotates the affected secrets where possible.
