Code Room
On-callMedium
Question
A researcher emails security@: your production '.env' file is being served at https://app.example.com/.env (HTTP 200, full contents). It contains a database URL with password, a SendGrid API key, a JWT signing secret, and an OAuth client secret. Web access logs show the path /.env has been requested ~4,000 times over the past 11 days from many IPs (it's a common scanner target). A static-export build config change shipped 11 days ago. How do you triage, contain, and remediate this secret exposure?
What a strong answer looks like
Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.
Learn the concepts
Loading whiteboard…
Run or narrate your approach, then ask the coach.