[{"data":1,"prerenderedAt":320},["ShallowReactive",2],{"blog-how-to/gitignore-secrets":3},{"id":4,"title":5,"body":6,"category":301,"date":302,"dateModified":302,"description":303,"draft":304,"extension":305,"faq":306,"featured":304,"headerVariant":307,"image":306,"keywords":306,"meta":308,"navigation":309,"ogDescription":310,"ogTitle":306,"path":311,"readTime":306,"schemaOrg":312,"schemaType":313,"seo":314,"sitemap":315,"stem":316,"tags":317,"twitterCard":318,"__hash__":319},"blog/blog/how-to/gitignore-secrets.md","How to Gitignore Sensitive Files",{"type":7,"value":8,"toc":282},"minimark",[9,13,17,21,27,32,35,46,50,66,82,105,118,131,144,148,154,158,162,168,172,178,182,188,192,195,201,243,263],[10,11],"category-badge",{"category":12},"How-To Guide",[14,15,5],"h1",{"id":16},"how-to-gitignore-sensitive-files",[18,19,20],"p",{},"Prevent accidental commits of secrets",[22,23,24],"tldr",{},[18,25,26],{},"TL;DR:\nAdd\n.env*\n, credential files, and config files with secrets to your\n.gitignore\n. Use\n!.env.example\nto keep your template. If files are already tracked, run\ngit rm --cached filename\nto untrack them. Always verify with\ngit status\nbefore committing.",[28,29,31],"h2",{"id":30},"essential-gitignore-for-secrets","Essential .gitignore for Secrets",[18,33,34],{},"Copy this security-focused .gitignore section to every project:",[36,37,42],"pre",{"className":38,"code":40,"language":41},[39],"language-text","# ========================================\n# SECRETS - Never commit these\n# ========================================\n\n# Environment files\n.env\n.env.local\n.env.development.local\n.env.test.local\n.env.production.local\n.env.production\n.env.staging\n\n# Keep the example file\n!.env.example\n!.env.template\n\n# Private keys\n*.pem\n*.key\n*.p12\n*.pfx\nid_rsa\nid_ed25519\n\n# Credentials\ncredentials.json\nservice-account*.json\n*-credentials.json\nsecrets.json\nconfig.secrets.*\n\n# Cloud provider configs with secrets\n.aws/credentials\n.gcloud/\n.azure/\n\n# IDE with possible secrets\n.idea/\n.vscode/settings.json\n\n# Local database files\n*.sqlite\n*.sqlite3\n*.db\n\n# Log files (might contain secrets)\n*.log\nlogs/\n","text",[43,44,40],"code",{"__ignoreMap":45},"",[28,47,49],{"id":48},"step-by-step-setup","Step-by-Step Setup",[51,52,54,59],"step",{"number":53},"1",[55,56,58],"h3",{"id":57},"create-or-update-gitignore","Create or update .gitignore",[18,60,61,62,65],{},"Open (or create) ",[43,63,64],{},".gitignore"," in your project root and add the patterns above.",[51,67,69,73,76],{"number":68},"2",[55,70,72],{"id":71},"check-if-secrets-are-already-tracked","Check if secrets are already tracked",[18,74,75],{},"Run this command to see if any sensitive files are being tracked:",[36,77,80],{"className":78,"code":79,"language":41},[39],"# Check for tracked .env files\ngit ls-files | grep -E \"^\\.env\"\n\n# Check for any files with common secret patterns\ngit ls-files | grep -E \"(credential|secret|key\\.json|\\.pem)$\"\n",[43,81,79],{"__ignoreMap":45},[51,83,85,89,92,98],{"number":84},"3",[55,86,88],{"id":87},"untrack-already-committed-files","Untrack already committed files",[18,90,91],{},"If sensitive files are tracked, remove them from git (but keep local copies):",[36,93,96],{"className":94,"code":95,"language":41},[39],"# Remove specific file from tracking\ngit rm --cached .env.local\n\n# Remove all .env files from tracking\ngit rm --cached .env* 2>/dev/null || true\n\n# Remove a directory\ngit rm --cached -r secrets/\n",[43,97,95],{"__ignoreMap":45},[18,99,100,101,104],{},"The ",[43,102,103],{},"--cached"," flag removes from git but keeps your local file.",[51,106,108,112],{"number":107},"4",[55,109,111],{"id":110},"commit-the-gitignore-update","Commit the .gitignore update",[36,113,116],{"className":114,"code":115,"language":41},[39],"git add .gitignore\ngit commit -m \"Update .gitignore to exclude sensitive files\"\n",[43,117,115],{"__ignoreMap":45},[51,119,121,125],{"number":120},"5",[55,122,124],{"id":123},"verify-files-are-ignored","Verify files are ignored",[36,126,129],{"className":127,"code":128,"language":41},[39],"# Check git status - .env files should not appear\ngit status\n\n# Test if a file would be ignored\ngit check-ignore -v .env.local\n# Output: .gitignore:3:.env.local    .env.local\n",[43,130,128],{"__ignoreMap":45},[132,133,134,137],"warning-box",{},[18,135,136],{},"Already pushed secrets?",[18,138,139,140,143],{},"If you've already pushed secrets to a remote repository, adding them to .gitignore won't remove them from history. You need to rotate those credentials immediately, then consider cleaning git history with tools like ",[43,141,142],{},"git filter-branch"," or BFG Repo Cleaner.",[28,145,147],{"id":146},"pattern-syntax-guide","Pattern Syntax Guide",[36,149,152],{"className":150,"code":151,"language":41},[39],"# Ignore a specific file\n.env.local\n\n# Ignore all files with extension\n*.pem\n\n# Ignore files starting with pattern\n.env*\n\n# Ignore a directory\nsecrets/\n\n# Ignore files in any subdirectory\n**/*.key\n\n# Negate a pattern (don't ignore this file)\n!.env.example\n\n# Ignore only in root (not subdirectories)\n/.env\n",[43,153,151],{"__ignoreMap":45},[28,155,157],{"id":156},"project-type-specific-patterns","Project-Type Specific Patterns",[55,159,161],{"id":160},"nextjs-react","Next.js / React",[36,163,166],{"className":164,"code":165,"language":41},[39],".env\n.env.local\n.env.development.local\n.env.test.local\n.env.production.local\n.next/\nout/\nbuild/\n",[43,167,165],{"__ignoreMap":45},[55,169,171],{"id":170},"nodejs-express","Node.js / Express",[36,173,176],{"className":174,"code":175,"language":41},[39],".env\n.env.*\n!.env.example\nnode_modules/\n*.log\n",[43,177,175],{"__ignoreMap":45},[55,179,181],{"id":180},"python-django","Python / Django",[36,183,186],{"className":184,"code":185,"language":41},[39],".env\n.env.*\n*.pyc\n__pycache__/\n.venv/\nsecrets.py\nlocal_settings.py\n",[43,187,185],{"__ignoreMap":45},[28,189,191],{"id":190},"global-gitignore","Global Gitignore",[18,193,194],{},"Set up a global gitignore for your machine to always ignore certain files:",[36,196,199],{"className":197,"code":198,"language":41},[39],"# Create global gitignore\ngit config --global core.excludesfile ~/.gitignore_global\n\n# Add to ~/.gitignore_global\n.env.local\n.DS_Store\n*.pem\n.idea/\n.vscode/settings.json\n",[43,200,198],{"__ignoreMap":45},[202,203,204,215,237],"faq-section",{},[205,206,208],"faq-item",{"question":207},"Why doesn't .gitignore work on files I already committed?",[18,209,210,211,214],{},"Git tracks files once they're committed. Adding them to .gitignore only prevents future tracking. To stop tracking existing files, use ",[43,212,213],{},"git rm --cached filename",".",[205,216,218],{"question":217},"How do I share configuration without sharing secrets?",[18,219,220,221,224,225,228,229,232,233,236],{},"Create a ",[43,222,223],{},".env.example"," file with placeholder values and commit that. Use the ",[43,226,227],{},"!"," pattern in .gitignore to not ignore it: ",[43,230,231],{},"!.env.example",". Team members copy it to ",[43,234,235],{},".env.local"," and fill in real values.",[205,238,240],{"question":239},"Can I have .gitignore in subdirectories?",[18,241,242],{},"Yes, you can have a .gitignore file in any directory. Patterns in subdirectory .gitignore files only affect that directory and its children. This is useful for ignoring build outputs in specific folders.",[18,244,245,249,254,255,254,259],{},[246,247,248],"strong",{},"Related guides:",[250,251,253],"a",{"href":252},"/blog/how-to/hide-api-keys","How to Hide API Keys"," ·\n",[250,256,258],{"href":257},"/blog/how-to/remove-secrets-git-history","Remove Secrets from Git History",[250,260,262],{"href":261},"/blog/how-to/check-exposed-keys","Check for Exposed Keys",[264,265,266,272,277],"related-articles",{},[267,268],"related-card",{"description":269,"href":270,"title":271},"Set up automatic secret detection in your repositories. Enable GitHub secret scanning, configure pre-commit hooks, and c","/blog/how-to/secret-scanning","How to Enable Secret Scanning",[267,273],{"description":274,"href":275,"title":276},"Step-by-step guide to securing API keys in web applications. Environment variables, server-side handling, key rotation, ","/blog/how-to/secure-api-keys","How to Secure API Keys in Your Web App",[267,278],{"description":279,"href":280,"title":281},"Step-by-step guide to building a secure login form. Prevent brute force attacks, handle credentials safely, and implemen","/blog/how-to/secure-login-form","How to Build a Secure Login Form",{"title":45,"searchDepth":283,"depth":283,"links":284},2,[285,286,294,295,300],{"id":30,"depth":283,"text":31},{"id":48,"depth":283,"text":49,"children":287},[288,290,291,292,293],{"id":57,"depth":289,"text":58},3,{"id":71,"depth":289,"text":72},{"id":87,"depth":289,"text":88},{"id":110,"depth":289,"text":111},{"id":123,"depth":289,"text":124},{"id":146,"depth":283,"text":147},{"id":156,"depth":283,"text":157,"children":296},[297,298,299],{"id":160,"depth":289,"text":161},{"id":170,"depth":289,"text":171},{"id":180,"depth":289,"text":181},{"id":190,"depth":283,"text":191},"how-to","2026-01-14","Prevent accidental commits of API keys, .env files, and credentials. Complete guide to configuring .gitignore for sensitive files in your project.",false,"md",null,"yellow",{},true,"Prevent accidental commits of secrets and credentials.","/blog/how-to/gitignore-secrets","[object Object]","HowTo",{"title":5,"description":303},{"loc":311},"blog/how-to/gitignore-secrets",[],"summary_large_image","R2UeNESk_snNImsKJBArQVlUtYCDsQj0Zx1XtY3eOAE",1775843928352]