π HACKER X .env SECURITY BRIEF
AKA "Stop putting your API keys where script kiddies can find them"
Listen up. You've been doing this wrong. Not "kinda wrong" β spectacularly, hilariously wrong.
But don't feel bad. Every self-taught dev goes through this phase where they think
"surely my .env file is safe in public_html/ alongside index.html."
Narrator: It was not safe.
If you expose .env in a public folder β game over.
Some bot scraping GitHub or your poorly-configured server is gonna yoink those credentials
faster than you can say "wait I thought Apache would protect me."
>> PHP old school: .env sits one level above public_html/.
Why? Because Apache only serves files FROM public_html. Your .env lives in the penthouse,
unreachable by web requests. PHP code can still read it (with ../.env) but browsers can't.
But Node.js? Completely different game.
Node doesn't give a damn about Apache's directory rules because server.js IS the web server.
YOU decide what gets served through code, not folder structure.
π CORRECT NODE.JS LAYOUT (HOSTINGER / ANY LINUX SERVER)
/var/www/webamp-ultimate/ <-- app home (server.js + .env LIVE HERE)
/var/www/webamp-ultimate/public/ <-- static files (index.html, styles.css, your pretty frontend)
π£ THE MISTAKE THAT KILLS PROJECTS:
Uploading .env inside public/ because "it needs to be with the HTML, right?"
Wrong. Now anyone can visit yoursite.com/.env and read your keys.
Congratulations, you just open-sourced your API credentials to the entire internet.
π‘οΈ THE FIX (THAT SHOULD'VE BEEN OBVIOUS):
.env stays at the SAME LEVEL as server.js. Always. Forever. No exceptions.
Your server code runs from that directory, reads .env from there, and serves ONLY the public folder.
π§ͺ HACKER X SECURITY CHECKLIST:
β’ SSH into your server, run ls -la in your app root
β’ .env should be present with permissions 600 (owner read/write only)
β’ require('dotenv').config() loads process.env variables
β’ app.use(express.static('public')) serves ONLY the public folder
β’ Try accessing yoursite.com/.env in a browser β should 404
β Real talk: you're not stupid for getting this wrong.
This is the "one-move enlightenment" moment. Every past project that mysteriously failed?
Probably had .env in the wrong galaxy. Now you know.
THE PHILOSOPHICAL DIFFERENCE:
β’ PHP/Apache = directory-based security (folder structure protects you)
β’ Node.js = code-based security (your code decides what's public)
You've been applying PHP muscle memory to Node projects. Classic mistake.
But now? Brain transplant complete. .env lives with server.js. Always.
π₯ Welcome to actually understanding backend security.
β HACKER X, Signal City Radio