What secrets does the .ENV Inspector detect?

The inspector checks variable names against patterns for API keys, tokens, passwords, secrets, private keys, credentials, certificates, database connection strings, signing keys, HMAC secrets, bearer tokens, and access keys. It flags any variable whose name matches these patterns as potentially sensitive. It does not analyze the value itself — any variable matching the pattern is marked for review.

What is a .env.example file and why do I need one?

A .env.example (also called .env.sample or .env.template) is a version of your .env file with all secret values removed or replaced with placeholders. It documents what environment variables your application needs without exposing actual secrets. Best practice is to commit .env.example to your Git repository and add .env to your .gitignore file. New developers can copy .env.example to .env and fill in their own values.

How do I prevent .env files from being committed to Git?

Add .env to your .gitignore file immediately. If you have already committed a .env file, you must rotate all exposed secrets — they are permanently in your git history even after deletion. Use 'git rm --cached .env' to remove it from tracking, then add to .gitignore. Consider using tools like git-secrets or truffleHog to scan your history for exposed credentials.

.ENV Inspector — Secret Scanner & Multi-Format Export

Your secrets stay local: This tool runs entirely in your browser. Zero network requests are made — verified via DevTools Network tab.

.env file contents

🔍

Paste your .env file above

Detects secrets, validates format, and generates .env.example

What Does the .ENV Inspector Check?

The .ENV Inspector analyzes your environment variable file for three categories of issues: secret exposure risk, format problems, and completeness. It parses each line, classifies variables by sensitivity, and helps you generate a safe template file for your team.

Secret Pattern Detection

The inspector flags variables whose names match common patterns for sensitive credentials. Variables are classified as secrets when their key contains any of these patterns:

API credentials: API_KEY, API_SECRET, API_TOKEN, ACCESS_KEY, ACCESS_TOKEN
Authentication: PASSWORD, PASSWD, PWD, AUTH, BEARER, OAUTH, SESSION_SECRET
Cryptographic: PRIVATE_KEY, SECRET, HMAC, SALT, SIGNING_KEY, ENCRYPTION_KEY
Database: DATABASE_URL, DB_URL, MONGO_URI, POSTGRES_URL, MYSQL_URL, CONNECTION_STRING, DSN
Infrastructure: WEBHOOK_SECRET, CERTIFICATE, CREDENTIAL, REDIS_PASSWORD

Common .env Format Issues

Missing equals sign: Every variable must follow the KEY=VALUE pattern. Lines without = are invalid.
Invalid key names: Keys should only contain uppercase letters, numbers, and underscores. Keys starting with numbers or containing spaces are invalid in most environments.
Unquoted values with spaces: Values containing spaces should be wrapped in quotes: APP_NAME="My Application"
Inline comments: Some parsers do not support inline comments (PORT=3000 # web port). Put comments on their own line.
Trailing spaces: Trailing whitespace in values can cause subtle bugs, especially with passwords and tokens.

.env Security Best Practices

Always add .env to .gitignore: Run echo ".env" >> .gitignore before your first commit. Once a secret is in git history, it must be considered compromised — rotation is the only fix.
Commit .env.example instead: Document which variables are needed without exposing actual values. New team members copy this file and fill in their own secrets.
Use different credentials per environment: Production, staging, and development should each have separate API keys and database credentials. Never reuse production secrets in development.
Rotate secrets regularly: Treat secrets like passwords — rotate them periodically and immediately when someone with access leaves the team.
Use a secret manager in production: For production workloads, prefer dedicated secret management solutions like AWS Secrets Manager, HashiCorp Vault, or Doppler over .env files on disk.
Never log environment variables: Avoid printing process.env to logs, especially in production. Set up log filtering to redact sensitive patterns.

Environment Variable Security in Modern Development

Environment variables are the standard way to configure applications without hardcoding sensitive values. However, mismanaging them is one of the most common causes of security breaches. Understanding proper .env file handling is critical for every development team.

The .env File Lifecycle: From Development to Production

Development: Use a .env file with dummy or local values. Commit a .env.example file with all required keys (but no real values) so new team members know what to configure.
CI/CD: Never store secrets in your repository. Use your CI platform's secret management (GitHub Actions Secrets, GitLab CI Variables, or CircleCI Contexts) to inject env vars at build time.
Staging/Production: Use a dedicated secrets manager like AWS Secrets Manager, HashiCorp Vault, Google Secret Manager, or Doppler. These provide audit logs, automatic rotation, and access control.

Common .env Security Mistakes

Committing .env to Git: Even if you delete the file later, it remains in Git history forever. If this happens, immediately rotate all exposed secrets and use git filter-branch or BFG Repo-Cleaner to purge the file from history.
Logging Environment Variables: Never log the full environment (console.log(process.env) or print(os.environ)). This dumps all secrets to your log aggregator where they may be accessible to unauthorized team members.
Sharing via Chat/Email: Never share secrets through Slack, email, or any messaging platform. Use your secrets manager's sharing feature, or one-time secret sharing tools like Doppler or 1Password's secure sharing.
Using Secrets in Frontend Code: Environment variables prefixed with NEXT_PUBLIC_, VITE_, or REACT_APP_ are embedded in the client-side bundle and visible to anyone. Never put API keys, database credentials, or auth secrets in frontend env vars.

Secret Detection and Prevention

Automate secret detection in your development workflow to catch leaks before they reach production. Tools like git-secrets, truffleHog, and detect-secrets can scan commits for patterns matching API keys, passwords, and tokens. GitHub also provides built-in secret scanning for public repositories that alerts you when known secret formats are detected in your code.

Frequently Asked Questions about .env Files

Is it safe to paste my .env file into this tool?

Yes — this tool runs entirely in your browser. No data is transmitted to any server. You can verify this by opening your browser's DevTools → Network tab while using the tool. You will see zero outgoing requests. The analysis happens locally in JavaScript and disappears when you close the tab.

What is a .env file and how does it work?

A .env (dotenv) file is a plain text file that stores environment variables for your application. Variables follow the KEY=VALUE format, one per line. Libraries like dotenv (Node.js), python-decouple (Python), or godotenv (Go) load these files at startup, making the variables available as environment variables in your process. This separates configuration from code — the same codebase runs in development, staging, and production with different .env files.

What's the difference between .env, .env.local, and .env.production?

Many frameworks (Next.js, Vite, Create React App) support multiple .env file variants with different loading priorities. .env is the default loaded in all environments. .env.local overrides .env and is ignored by git. .env.production and .env.development are environment-specific. .env.local always takes priority over environment-specific files. Check your framework's documentation for the exact loading order.

My .env file was accidentally committed to Git — what should I do?

Immediately rotate all exposed credentials — they should be considered compromised because git history is permanent even after deletion. Remove the file with git rm --cached .env, add .env to .gitignore, and force-push to overwrite history with git filter-branch or BFG Repo Cleaner. If the repo is public or has been cloned, assume all secrets are compromised regardless of history rewriting.

Related Developer Tools

AI Token Counter — count tokens for GPT-4o, Claude, Gemini
JWT Decoder & Inspector — decode JSON Web Tokens securely in browser
Docker Compose Generator — generate docker-compose.yml with services
View all free developer tools

.ENV Inspector — Free Online Tool

Variable Analysis

Format Issues

.env.example Safe to commit

Export Formats