Why Your .env File Is the Most Dangerous File in Your AI Project

The.en file was a good idea for a different era. Load environment variables at startup, keep credentials out of source code, use.gitignore to prevent accidental commits. For a traditional web application running on a server you control, that is a reasonable security model. The application does what you wrote. The credentials sit where you put them. Nobody is sneaking instructions into the execution context through a product description. AI agents changed that completely. What changed A traditional application does exactly what you programmed it to do.