The .env file contains sensitive information and should NEVER be committed to git:

• API keys (Resend, Brevo)
• Admin secrets
• SMTP passwords
• Private keys

1. Added .env to .gitignore
2. Removed .env from git history (using git rm --cached)
3. Created .env.example as a template

If your .env file was already pushed to GitHub:

1. Immediately rotate all API keys and secrets:

   • Resend API key
   • Brevo API key
   • Admin secret
   • SMTP password

2. Remove from git history:

# Remove .env from all commits
git filter-branch --force --index-filter \
  "git rm --cached --ignore-unmatch .env" \
  --prune-empty --tag-name-filter cat -- --all

# Force push (WARNING: This rewrites history!)
git push origin --force --all

3. Or use BFG Repo-Cleaner (easier):

# Install BFG
brew install bfg  # macOS
# or download from https://rtyley.github.io/bfg-repo-cleaner/

# Remove .env from history
bfg --delete-files .env
git reflog expire --expire=now --all
git gc --prune=now --aggressive
git push origin --force --all

If your .env was exposed, rotate these immediately:

• Go to: https://resend.com/api-keys
• Delete old key
• Create new key
• Update .env

• Go to: https://app.brevo.com/settings/keys/api
• Delete old key
• Create new key
• Update .env

• Generate new random string:

openssl rand -base64 32

• Update .env

• If using Gmail App Password:
  • Go to: https://myaccount.google.com/apppasswords
  • Revoke old password
  • Generate new one
  • Update .env

Always maintain a .env.example file with dummy values:

# .env.example
RESEND_API_KEY=re_your_key_here
BREVO_API_KEY=xkeysib-your_key_here
ADMIN_SECRET=your_secret_here

// ❌ BAD
console.log('API Key:', process.env.RESEND_API_KEY);

// ✅ GOOD
console.log('API Key:', process.env.RESEND_API_KEY ? '***' : 'not set');

.env              # Local development (gitignored)
.env.example      # Template (committed)
.env.production   # Production (gitignored, set on server)

Never expose secrets in client-side code:

// ❌ BAD - Exposed to browser
const apiKey = import.meta.env.VITE_SECRET_KEY;

// ✅ GOOD - Server-side only
const apiKey = process.env.SECRET_KEY;

For production, set environment variables in your hosting platform:

Vercel:

• Go to Project Settings → Environment Variables
• Add each variable
• Redeploy

Netlify:

• Go to Site Settings → Environment Variables
• Add each variable
• Redeploy

1. Immediately rotate all API keys

2. Check for unauthorized usage:

   • Resend: Check email logs
   • Brevo: Check campaign logs
   • Check for unexpected charges

3. Remove from git history (see above)

4. Monitor for abuse:

   • Set up billing alerts
   • Check API usage dashboards
   • Review access logs

5. Update documentation to prevent future exposure

Before committing:

• .env is in .gitignore
• No secrets in code
• .env.example is up to date
• No API keys in commit messages
• No secrets in error messages

• GitHub: Removing sensitive data
• BFG Repo-Cleaner
• Git filter-branch

If you've exposed secrets and need help:

1. Rotate all keys immediately
2. Contact support for each service
3. Review billing for unauthorized usage
4. Clean git history
5. Update security practices