Node.js is an environment that helps you create server-side applications using JavaScript. One of the common Node.js elements that developers like and use are .env files. These files let you easily save and load environment variables. Developers often use them to store confidential information. However, sometimes they forget to disable access to these files from the outside, which can lead to major security problems.

Secure Folder

How JavaScript Went Server-Side

There would be no web without JavaScript. Originally, this language was used only in the browser. It was one of the most important technologies that allowed static HTML sites to become dynamic.

In 2009, Ryan Dahl saw an upload progress bar on Flickr. The code for this progress bar had to query the web server because it had no information about how much of the file has been uploaded. Dahl wanted a more efficient solution, so he created Node.js on the basis of the JavaScript language. This environment lets you build web servers and network tools with the help of many modules. Effectively, Node.js helped skilled front end developers to become full stack developers.

Where Do I Store Secrets?

Secret information, such as passwords and API keys, must be stored securely. However, this information must also be easy to access and modify. One of the common ways to store such information is using configuration files. In the case of Node.js, a very popular approach is to use .env files. Their big advantage is that such files are loaded automatically and put into environment variables. This makes it very easy for developers to access them in the code.

node.js .env files

Node.js developers often come from the world of the front end, where security considerations are quite different than at the back end. Therefore, it is no surprise that they often forget to double-check how securely secret information is stored. The key factor for them is often ease of access for the Node.js framework.

The Acunetix team conducted research to see, how often Node.js .env files are stored on the web server in locations that are accessible from the outside. The results were shocking. Just one simple Google query shows, how easily accessible .env files often are.

intitle:"index of" ".env"

node.js .env Google search

Safeguard Yourself with Acunetix

The Acunetix web vulnerability scanner now features a check that helps you make sure that your developers are not exposing Node.js .env files to the public. Although not every .env file must contain confidential information, there is absolutely no reason to make them publicly accessible. If you find this to be the case, you can easily remediate by changing access rights.

SHARE THIS POST
THE AUTHOR
Acunetix

Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.