Someone trying to access a .env file in a functions directory?
We noticed in the last few days alot of attempts to access .env in our functions directory on Cloudflare pages. So for example, we see GET and POST requests to /.env. Of course these are rejected and we don't have a .env file anyway (Secrets are saved in dashboard as secrets and some vars in a TOML file), but this got me concerned about the security of functions and environment variables in general on Cloudflare. My questions are: is the wrangler.toml file accessible anywhere on a website publicly? Are they in the build output at all? How can we inspect our actual build files to see what's in them? I don't see anyway to download the outputted files in the Pages admin. What else is a potential security leak on a cloudflare pages functions directory?
0 Replies