.env- May 2026

CERTIFICATE="-----BEGIN CERTIFICATE----- MIIDXTCCAkWgAwIBAgIJAKl... -----END CERTIFICATE-----"

At a previous consulting engagement, a SaaS company had a cron job that ran a script to rotate logs. The script contained the line: At a previous consulting engagement, a SaaS company

cp .env .env-$(date +%Y-%m-%d)

Every day, a new .env-YYYY-MM-DD file was created. The .gitignore only listed .env (no asterisk). One day, a developer ran git add --all and committed 90 days worth of .env- files to a public repository. Within six hours, bots had scraped the AWS keys and spun up $50,000 worth of cryptocurrency miners. Every day, a new

The fix was three lines:

If you cannot use a hyphen after .env, what should you use? The industry has converged on three standard, safe patterns. At a previous consulting engagement

If you must keep files in the root, replace the hyphen with an underscore or a dot.

.env.production  # Dot - still slightly risky
.env_local       # Underscore - safer

Most server configurations block .env* (including the dot), but underscores (_) are alphanumeric characters. However, the ultimate safety is the wildcard rule.

Versioned/backup files: Editors and tools may create backups like ".env-", ".env~", ".env.bak", or ".env-20230401". A file named ".env-" could be a temporary or backup copy created by certain utilities or by accident.

Partial overrides and layering: Systems that layer configuration may use multiple files where base is ".env" and overrides named ".env-local" or ".env-user" (the latter uses the dash).

CI/CD or deployment pipelines: Build scripts or deployment tooling may generate files with names like ".env-" or ".env-" to isolate runs or keep immutable snapshots.

Secret rotation or staging: Teams may keep rotated files like ".env-previous" or ".env-old" when updating secrets.