.env .env.backup They try to list every permutation manually. They forget to add .env-production . Or they rely on an IDE plugin that auto-generates a .gitignore without the wildcard.
env.production env.development These files are less likely to be served statically because they lack the leading dot that triggers special web server rules. If you must keep files in the root, replace the hyphen with an underscore or a dot. It is the standard bearer for configuration management,
In the modern landscape of software development, the humble .env file has become as ubiquitous as index.js or main.py . It is the standard bearer for configuration management, holding the keys to our digital kingdoms—API secrets, database passwords, encryption salts, and cloud credentials. and cloud credentials. Or
Or, use naming without the dot prefix:
# DANGEROUS COPY .env-production /app/.env If your Dockerfile copies .env-production into the image, it is now baked into the container. Anyone with access to the image (e.g., a public registry, or a compromised CI runner) can extract it via docker history . a public registry