Your MongoDB credentials are SAFE and not tracked by git.
.envfiles - Listed in.gitignore, never committed- MongoDB credentials - Only in local
.envfile - JWT secrets - Only in local
.envfile - Uploads folder - User-uploaded files not tracked
backend/.envfrontend/.envbackend/uploads/*- Any file with real credentials
# Always check what you're committing
git status
# Make sure .env is NOT listed
git ls-files | grep .env
# If .env appears, remove it immediately:
git rm --cached backend/.env
git rm --cached frontend/.env- File:
backend/.env(NOT in git β ) - Status: Protected by
.gitignore
- You accidentally committed
.envto git - You shared your screen with
.envvisible - You suspect unauthorized access
- Go to MongoDB Atlas dashboard
- Database Access β Edit User
- Change password
- Update
backend/.envwith new password - Restart your backend server
Replace the default JWT secret in backend/.env:
# Generate a strong secret (run in terminal)
node -e "console.log(require('crypto').randomBytes(64).toString('hex'))"Then update in backend/.env:
JWT_SECRET=<paste-generated-secret-here>Development (current):
NODE_ENV=development
MONGODB_URI=mongodb+srv://...Production (when deploying):
- Use environment variables in hosting platform
- Never hardcode credentials in code
- Use secrets management (Heroku Config Vars, Vercel Env Variables, etc.)
Recommended settings in MongoDB Atlas:
- β Enable IP Whitelist (restrict access)
- β Use strong passwords (16+ characters)
- β Enable database auditing
- β Regular backups enabled
- β Use least-privilege user accounts
Before deploying to production:
- Change JWT_SECRET to a strong random value
- Use environment variables (not .env files) in production
- Enable MongoDB IP whitelist
- Use HTTPS for all connections
- Set NODE_ENV=production
- Review and limit CORS origins
- Enable rate limiting
- Set up monitoring and alerts
If you accidentally commit credentials:
-
Immediately rotate all secrets:
- Change MongoDB password
- Generate new JWT secret
- Update
.envfile
-
Remove from git history:
# Remove file from git history git filter-branch --force --index-filter \ "git rm --cached --ignore-unmatch backend/.env" \ --prune-empty --tag-name-filter cat -- --all # Force push (WARNING: rewrites history) git push origin --force --all
-
Notify your team if it's a shared repository
β
.env files are in .gitignore
β
MongoDB credentials are NOT in git
β
.env.example has placeholder values
β
Uploads folder is ignored
Your secrets are safe! π