Skip to content

fix(docker): secure environment files in Docker setup#8

Open
pedrojreis wants to merge 1 commit intoLibreChat-AI:mainfrom
nosportugal:security-fix-env
Open

fix(docker): secure environment files in Docker setup#8
pedrojreis wants to merge 1 commit intoLibreChat-AI:mainfrom
nosportugal:security-fix-env

Conversation

@pedrojreis
Copy link
Copy Markdown

@pedrojreis pedrojreis commented Apr 23, 2026
edited
Loading

What kind of change does this PR introduce?

  • Prevent copying of .env and env.sh into the public www/ directory.
  • Ensure sensitive files are stored outside the document root to avoid exposure.
  • Update comments for clarity on the handling of environment variables.

What is the current behavior?

When one does leverage this sandbox to use Artifacts in Librechat is also exposing the .env file.
I know that the API_KEY in it it's not that critical, but for an attacker is enough to know what's installed and how to get in.

As enterprises goes, this is a critical issue.

What is the new behavior?

It wont copy the .env into www/ directory

Checklist

  • Documentation (N/A)
  • Testing
  • Ready to be merged
  • Added myself to contributors table

@pedrojreis
fix(docker): secure environment files in Docker setup
1f96985 
* Prevent copying of `.env` and `env.sh` into the public `www/` directory.
* Ensure sensitive files are stored outside the document root to avoid exposure.
* Update comments for clarity on the handling of environment variables.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pedrojreis