/github-for-non-tech

How to avoid uploading .env files to GitHub?

Learn how to keep your sensitive .env files out of GitHub with step-by-step tips on using .gitignore, removing tracked files, and cleaning history safely.

Book a free  consultation
Matt Graham, CEO of Rapid Developers

Book a call with an Expert

Starting a new venture? Need to upgrade your web app? RapidDev builds application with your growth in mind.

Book a free No-Code consultation

How to avoid uploading .env files to GitHub?

 

Step 1: Understand Why You Should Keep .env Files Out of Git

 

When you build applications, you often store secrets like API keys, database credentials, or tokens in a .env file. Uploading this file to GitHub can expose those secrets to the public or to anyone with access to your repository.

  • Sensitive data must stay private.
  • Accidental leaks can lead to security breaches or unexpected usage fees.
  • Regulatory compliance often forbids storing secrets in version control.

 

Step 2: Create or Update Your .gitignore File

 

A .gitignore file tells Git which files or directories to ignore when you stage changes.

If you don’t already have a .gitignore file in your project root, create one. Then add an entry for .env to ensure Git will skip it:

# Ignore environment variable files
.env

 

Step 3: Remove Already Tracked .env Files from Git

 

If you’ve committed .env in the past, simply adding it to .gitignore won’t untrack it. You must remove it from the index while keeping it on disk:

# Stop tracking .env but keep it locally
git rm --cached .env

# Commit the change
git commit -m "Remove .env from tracking and add to .gitignore"

 

Step 4: Create a .env.example Template

 

To help collaborators understand which environment variables are needed without exposing real values, create a .env.example file. Include only the keys and placeholder values:

# Copy your real .env to .env.example and scrub secrets:
cp .env .env.example

# Then open .env.example and replace values with placeholders:
# DB_HOST=your_database\_host
# DB_USER=your_username
# DB_PASS=your_password
  • Commit .env.example so teammates know what variables to define.
  • Don’t add .env.example to .gitignore.

 

Step 5: Verify .env is Being Ignored

 

Make sure Git is no longer tracking your .env file by running:

# Attempt to stage .env again
git add .env

# Check status to confirm .env is not staged
git status
  • You should see no reference to .env in the staged or unstaged list.
  • If it still appears, double-check your .gitignore syntax and file location.

 

Step 6: Adopt Best Practices for Managing Secrets

 

  • Use a secrets manager (AWS Secrets Manager, HashiCorp Vault) for production deployments.
  • Encrypt sensitive files if you must commit them, using tools like Git-crypt or BlackBox.
  • Rotate credentials regularly and revoke compromised keys immediately.
  • Educate your team on secure handling of environment files.

 

Step 7: Clean Up History if You’ve Leaked Secrets

 

Simply removing a file in a new commit doesn’t remove it from past commits. If you have accidentally pushed a .env file with real secrets, you should rewrite history and force-push:

# Install the BFG Repo Cleaner or use git filter-branch
# Example with BFG to remove all .env files:
bfg --delete-files .env

# After cleaning, force-push:
git push --force
  • Be cautious: rewriting history affects all collaborators.
  • After cleanup, revoke and rotate any exposed credentials.

 

Step 8: Document Your Workflow

 

In your project’s README, add a section describing how to set up environment variables safely:

## Environment Setup

1. Copy .env.example into .env  
2. Fill in your API keys and database credentials  
3. Do not commit .env—it is already added to .gitignore

 

Following these steps ensures your secrets remain private, your Git history stays clean, and collaborators know exactly how to configure their environments without risking exposure.

Want to explore opportunities to work with us?

Connect with our team to unlock the full potential of no-code solutions with a no-commitment consultation!

Book a Free Consultation

Client trust and success are our top priorities

When it comes to serving you, we sweat the little things. That’s why our work makes a big impact.

Rapid Dev was an exceptional project management organization and the best development collaborators I've had the pleasure of working with. They do complex work on extremely fast timelines and effectively manage the testing and pre-launch process to deliver the best possible product. I'm extremely impressed with their execution ability.

CPO, Praction - Arkady Sokolov

May 2, 2023

Working with Matt was comparable to having another co-founder on the team, but without the commitment or cost. He has a strategic mindset and willing to change the scope of the project in real time based on the needs of the client. A true strategic thought partner!

Co-Founder, Arc - Donald Muir

Dec 27, 2022

Rapid Dev are 10/10, excellent communicators - the best I've ever encountered in the tech dev space. They always go the extra mile, they genuinely care, they respond quickly, they're flexible, adaptable and their enthusiasm is amazing.

Co-CEO, Grantify - Mat Westergreen-Thorne

Oct 15, 2022

Rapid Dev is an excellent developer for no-code and low-code solutions.
We’ve had great success since launching the platform in November 2023. In a few months, we’ve gained over 1,000 new active users. We’ve also secured several dozen bookings on the platform and seen about 70% new user month-over-month growth since the launch.

Co-Founder, Church Real Estate Marketplace - Emmanuel Brown

May 1, 2024 

Matt’s dedication to executing our vision and his commitment to the project deadline were impressive. 
This was such a specific project, and Matt really delivered. We worked with a really fast turnaround, and he always delivered. The site was a perfect prop for us!

Production Manager, Media Production Company - Samantha Fekete

Sep 23, 2022