SSSiteSignal Express

Exposed .env and config scan checklist

A defensive checklist for site owners who see requests for .env files, debug logs, docker-compose files, or deployment config paths in web server logs.

Launch checks

  • Confirm every probe path returns 403, 404, or a controlled redirect; no secret, config, backup, or debug file should be served publicly.
  • Rotate any API key, SMTP password, database password, webhook secret, or cloud token that may have been exposed.
  • Block dotfiles, backup files, debug logs, SQL dumps, and deployment config files at the web server or edge proxy.
  • Check recent access logs for successful 200 responses to sensitive paths before assuming the scan was harmless.
  • Keep production secrets in environment variables or secret storage, not inside the public web root or committed files.

Free helper

Run the production launch checklist, then cross-check secrets, Cloudflare, Nginx, redirects, and checkout delivery before sharing paid links.

Open launch checklist

Paid pack

Get the private technical launch bundle for Stripe Checkout, webhooks, Cloudflare, Nginx, TLS, redirects, and rollback notes.

Buy technical bundle - 1.00 EUR

View webhook pack sample

Operational Stripe launch checklist only. Confirm live settings in your own Stripe Dashboard before accepting payments.