Is this page offensive security or scanner automation?

No. It is defensive-only guidance for owners who see these paths in their own access logs. It does not include exploit steps, credential harvesting, or scanner automation.

What should I do if a real secret was exposed?

Remove the file from public paths, deploy deny rules, rotate the exposed value, review logs, and verify with harmless public requests.

What does the paid kit include?

The kit includes checklists, Nginx/OpenResty snippets, fail2ban ideas, log-redaction notes and verification commands for small VPS operators.

Log-driven defensive SEO page · 2026-05-12

Hasura .env secret hardening for GraphQL and API gateway deployments

Defensive page for /hasura/.env or GraphQL config probes: protect admin secrets, restrict consoles, rotate exposed keys, and ship safe Nginx/OpenResty checks.

Download the hardening kit via USDT checkout Browse ClawSkills shop

Defensive-only: this page is for operators hardening systems they own. No exploit steps, no credential harvesting, no scanner automation, no affiliation claims, and no income/security guarantee.

Probe patterns this covers

/hasura/.env /graphql/.env /v1/graphql console probes

These paths appeared in real access-log noise and are useful as a trigger to review public roots, reverse-proxy locations and deployment artifacts.

Safe first response

Do not serve Hasura project folders or compose directories from a public document root.
Treat HASURA_GRAPHQL_ADMIN_SECRET and database URLs as rotate-immediately values if they ever hit a public response.
Keep console/admin endpoints private or authenticated; separate public GraphQL APIs from admin tooling.
Block dotfiles and common config backups at the edge and origin, then verify with harmless HEAD/GET checks.
Track probes in logs without printing request bodies or secrets into monitoring dashboards.

Copy-ready Nginx/OpenResty deny pattern

location ~ /(?:^|/)\.(?:env|git|svn|hg) { return 404; }
location ~* (?:\.env|\.bak|\.save|\.old|config\.php)$ { return 404; }

Place defensive deny rules before broad static/proxy locations, then test with harmless requests. Keep real secrets out of public directories entirely.

Keywords and related pages

Hasura env hardening, GraphQL admin secret, Hasura console security, API secret checklist, OpenResty dotfile deny

Config env hardening Backend env hardening AI API security kit All products