How to Safely Share Your .env File With a Contractor
You need to share environment variables with a contractor. The problem: your .env file has real production credentials in it โ Stripe live keys, database passwords, OpenAI API keys.
Here's the workflow that keeps your secrets safe.
Step 1: Sanitize before sharing
Paste your .env file into the .env Deep Sanitizer. It scans for 15+ secret patterns and replaces values with <REDACTED> โ instantly, in your browser, zero uploads.
The output is a safe .env.example that shows the contractor what variables exist without exposing any real values.
Step 2: Add the right .gitignore rules
Your .gitignore should always include:
.env .env.local .env.*.local .env.production # but commit this: # .env.example
Step 3: Add a pre-commit hook
Even with .gitignore, a pre-commit hook catches secrets before they reach git history:
# .husky/pre-commit npx secretlint "**/.env*" # or use detect-secrets: pip install detect-secrets
Step 4: Give the contractor scoped credentials
Instead of sharing production credentials, create separate staging-only API keys with the minimum permissions needed. Stripe, AWS, GitHub, and most APIs support this.
Rotate all credentials the day the contractor engagement ends.
The 60-second checklist
- โRun .env through the sanitizer โ get a clean .env.example
- โ.gitignore includes all .env* variants
- โPre-commit hook installed (Husky + secretlint)
- โContractor gets staging-only, scoped credentials
- โCalendar reminder to rotate keys on engagement end
Try the related tool
.env Deep Sanitizer โ free, runs 100% in your browser.
Open .env Deep Sanitizer โEnjoyed this? Get notified when Pro launches.