diff --git a/.env.example b/.env.example
new file mode 100644
index 0000000..801ce13
--- /dev/null
+++ b/.env.example
@@ -0,0 +1,10 @@
+# Environment variable examples
+BCRYPT_SALT=""
+COMPOSE_PROJECT_NAME=""
+DB_NAME=""
+DB_PASSWORD=""
+DB_PORT=""
+DB_URL=""
+DB_USER=""
+PORT=""
+VITE_REACT_APP_SERVER_URL=""
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..765af60
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,6 @@
+# Sensitive files
+*.env
+*.env.*
+
+# Allow the public template
+!.env.example
diff --git a/README.md b/README.md
index 707645a..55c2119 100644
--- a/README.md
+++ b/README.md
@@ -203,6 +203,26 @@ npm run test
 
 ---
 
+## Security & Secret Management
+
+**Important:** As of [PR #??](https://github.com/overcut-ai/awesome-overcut/pull/XXX) we removed all plaintext secret files from version control.
+
+1. Secrets such as database credentials and API keys **must not** be committed to the repository.
+2. Runtime configuration is supplied exclusively via **environment variables** or your CI/CD secrets store.
+3. A template file [`.env.example`](./.env.example) lists all required variables with empty placeholder values. Copy it to `.env` (which is git-ignored) and fill in values for **local development only**:
+
+   ```bash
+   cp .env.example .env    # create local env file
+   # then edit .env and set the variables
+   ```
+
+4. For production/staging environments use your orchestrator (Docker, Kubernetes, Vercel, etc.) or a dedicated secrets manager (AWS Secrets Manager, HashiCorp Vault, etc.) to inject environment variables securely.
+5. Our CI pipeline includes secret-scanning to prevent accidental leaks on future commits.
+
+---
+
+---
+
 ## Contributing
 
 Pull requests are welcome! For major changes please open an issue first to discuss what you would like to change.
diff --git a/apps/hotel-management-service-admin/.env b/apps/hotel-management-service-admin/.env
deleted file mode 100644
index e96bc90..0000000
--- a/apps/hotel-management-service-admin/.env
+++ /dev/null
@@ -1,2 +0,0 @@
-PORT=3001
-VITE_REACT_APP_SERVER_URL=http://localhost:3000
\ No newline at end of file
diff --git a/apps/hotel-management-service-server/.env b/apps/hotel-management-service-server/.env
deleted file mode 100644
index f44c50d..0000000
--- a/apps/hotel-management-service-server/.env
+++ /dev/null
@@ -1,8 +0,0 @@
-BCRYPT_SALT=10
-COMPOSE_PROJECT_NAME=amp_cmf11s2hw02e2vfcrio3h910u
-DB_NAME=my-db
-DB_PASSWORD=admin
-DB_PORT=5432
-DB_URL=postgres://admin:admin@localhost:5432/my-db
-DB_USER=admin
-PORT=3000
\ No newline at end of file