Insecure NGINX Settings (.env still accessible)

When dockerized app still running, do this: curl localhost:8800/.env, it will give env variables

Sample output:

[6:59:31] andika:webtune-master git:(main*) $ curl localhost:8800/.env
DATABASE_URL="pgsql:host=webtune-database;port=5432"
DATABASE_NAME="music"
DATABASE_USERNAME="postgres"
DATABASE_PASSWORD="root"

POSTGRES_USER=postgres
POSTGRES_PASSWORD=root

API_KEY=secret

CLIENT_REST_API="http://localhost:8802"
REST_API="http://webtune-rest:8888"
REST_KEY=secret_turu

SOAP_API=http://webtune-soap:8080/webtune-soap
SOAP_KEY=secret_blebekblebek