Your .env file is probably already in your Git history. The 15-minute audit (and the 5 habits that stop new leaks for good).

Disclosure: I am a senior backend tech lead in Paris and I run Belmo, a small European PaaS. This article mentions Belmo once near the end. Everything else works regardless of where you host.

A founder I advise forwarded me a GitHub email last Sunday. Subject line: "We found a secret in one of your repositories." It was an OpenAI key, six commits old, in a repo she had flipped from private to public on Friday so a designer could browse it. The key was still active. She had been billed €240 in API calls between Friday evening and Sunday morning by someone running what looked like a CSV-to-embeddings job out of a residential IP block in Brazil.

This is the most common preventable production incident I see in indie SaaS. Not a database outage, not a Stripe bug, not a deploy gone wrong. A key in a place it should not be. Usually a .env file committed before .gitignore was set up. Sometimes a hardcoded OPENAI_API_KEY = "sk-..." in a Python script the founder forgot they pushed during early prototyping. Almost always findable in two minutes if you know where to look.

If you have ever pasted an API key into Claude Code, Cursor, Lovable, or Bolt, or if you have ever committed a project before you knew what .gitignore did, this article is the audit you have been putting off.