.env- Today

A developer needs a config for production debugging. They type:

Stay secure. Stay vigilant. And never trust a dash.

But a new pattern has emerged in the developer lexicon, often whispered about in post-mortem meetings and Slack channels: (dot-env-dash). A developer needs a config for production debugging

In the modern landscape of software development, the humble .env file has become as ubiquitous as index.js or main.py . It is the standard bearer for configuration management, holding the keys to our digital kingdoms—API secrets, database passwords, encryption salts, and cloud credentials.

cp .env .env-$(date +%Y-%m-%d) Every day, a new .env-YYYY-MM-DD file was created. The .gitignore only listed .env (no asterisk). One day, a developer ran git add --all and committed 90 days worth of .env- files to a public repository. Within six hours, bots had scraped the AWS keys and spun up $50,000 worth of cryptocurrency miners. And never trust a dash

You might have seen it as .env-production , .env-staging , .env-backup , or .env-old . While seemingly innocent, the use of a hyphen after the .env prefix represents one of the most common, yet easily fixable, security vulnerabilities in web applications today.

.env* ...you ignore .env , .env-bak , .env-local , and .env-production . This is safe. However , many developers mistakenly write: It is the standard bearer for configuration management,

#!/bin/sh if git ls-files --cached --others --exclude-standard | grep -q "\.env-"; then echo "❌ ERROR: Found .env- file staged for commit." echo "These files are a security risk. Remove the hyphen or use a different naming convention." exit 1 fi Make it executable: