Your .env File Is Not a Secret Store

Most teams make one of two mistakes with secrets.

The first is obvious.

The second is more common in teams that have already fixed the first one.

Both come from the same misunderstanding about what a .env file is supposed to do.

Log the Fingerprint, Not the Secret

When something goes wrong with your application's configuration, you need to know what was loaded and where it came from.

Most tools for answering that question either tell you too much or nothing at all.

There's a third option most people haven't considered.