Skip to content

Free .env file exposure checker

A publicly downloadable .env file hands attackers every secret your app has — database URLs, API keys, tokens. Default deployments on some AI platforms leave these reachable.

No signup for a shallow scan · we never store your source code

Free · no signup · we never store your source code

  • We prove vulnerabilities by reproducing them — not guesses
  • Tamper-evident record of what your AI agents do
  • We never store your source code

What the agent checks

  • Publicly downloadable .env
  • Exposed .git directory
  • Other sensitive config and backup files
  • Stack and framework disclosure

Ask the agent — FAQ

How do I check if my .env file is public?

Paste your app's URL and tell Opviva to check it — the agent requests common sensitive paths on your live app and reports anything publicly downloadable.

What happens if my .env is exposed?

Anyone can download every secret in it — database credentials, API keys, tokens — and take over your services. It must be removed from the public path immediately.

Can Opviva fix an exposed .env?

Yes — once the agent proves it's reachable, it opens a reviewed pull request that removes the file from the public path and rotates the affected secrets where possible.