When you are focused on writing code, it is easy to overlook where your personal information is leaking. But in practice, Git commit history, npm package metadata, domain WHOIS records, and other developer-specific channels expose personal data without you realizing it.
This article covers five ways developers unintentionally leak personal information and the specific fix for each.
Leak 1: Git Commit Email Addresses
Run git log and you see every committer's email address. On a public GitHub repository, anyone in the world can read it.
git log --format='%ae' | sort -u
This command lists every unique email address in the repository's commit history.
Fix: Use GitHub's Noreply Email
GitHub provides each user with a noreply email address in the format ID+username@users.noreply.github.com (where ID is your GitHub numeric ID). You can find it under Settings → Emails.
git config --global user.email "123456+username@users.noreply.github.com"
In GitHub settings, enable "Keep my email addresses private" to use the noreply address for web-based operations too. Enable "Block command line pushes that expose my email" to reject pushes that contain your personal email.
Leak 2: npm Package Metadata
When you publish a package to npm, the author field in package.json and your .npmrc settings can expose your email. The npm registry API makes this available to anyone.
curl -s https://registry.npmjs.org/package-name | jq '.maintainers'
Fix: Control Public Information
Do not put your personal email in package.json's author field.
{
"author": "username"
}
Always enable npm 2FA. This is essential not just for privacy but for preventing package takeover (supply chain attacks).
Consider using GitHub's noreply email for your npm account, or set up a separate email address for public-facing development work.
Leak 3: Domain WHOIS Records
When you register a domain, WHOIS records publish the registrant's name, address, phone number, and email. A developer who registers a domain for a portfolio site or personal blog can end up with their home address publicly available worldwide.
Fix: Use WHOIS Privacy Protection
Most registrars offer WHOIS privacy protection (also called proxy registration). The registrar's information is displayed instead of yours.
| Registrar | WHOIS Privacy |
|---|---|
| Cloudflare Registrar | Free (enabled by default) |
| Google Domains (Squarespace) | Free (enabled by default) |
| Namecheap | Free (WhoisGuard) |
Cloudflare Registrar enables WHOIS privacy automatically at registration. No extra steps needed.
Leak 4: DNS Query Exposure
Your ISP can see every website you visit through DNS queries. Even though HTTPS encrypts the content of your communication, DNS requests are sent in plaintext by default.
For developers, this matters because:
- Domains of external APIs used in confidential projects are visible to your ISP
- Competitor research shows up in ISP logs
- DNS queries can be intercepted on public WiFi
Fix: Use Encrypted DNS and a VPN
DNS over HTTPS (DoH) or DNS over TLS (DoT) encrypts your DNS queries.
# /etc/systemd/resolved.conf (Linux)
[Resolve]
DNS=1.1.1.1#cloudflare-dns.com
DNSOverTLS=yes
Browsers can also enable DoH independently. In Firefox, look for "DNS over HTTPS" in settings.
However, DoH alone does not hide IP-level connection destinations from your ISP. To hide both DNS queries and IP addresses, you need a VPN.
NordVPN routes DNS requests through the VPN tunnel, so your ISP only sees the connection to the VPN server. It also provides a DNS leak test tool.
Leak 5: Development Configuration Files
.env files, .gitconfig, SSH configuration, cloud credential files. Development environments are scattered with sensitive data.
If these are not in .gitignore, or if you publish a dotfiles repository without sanitizing it, API keys and database URLs are exposed.
Fix: Manage Secrets Systematically
Lock down .gitignore. Start with GitHub's .gitignore templates and add project-specific files.
# .gitignore
.env
.env.*
*.pem
credentials.json
git-secrets can automatically check for AWS keys and API tokens before each commit.
git secrets --install
git secrets --register-aws
If you manage dotfiles in a public repository, exclude files containing secrets or templatize them before publishing. Do not push .gitconfig with your email or shell config files containing API tokens as-is.
Checklist
Here is a summary of all the fixes.
| Leak | What to check | Fix |
|---|---|---|
| Git | Does git log show your personal email? | Switch to noreply email |
| npm | Does package.json contain personal info? | Remove email from author, enable 2FA |
| WHOIS | Does your domain's WHOIS show your home address? | Enable WHOIS privacy protection |
| DNS | Are DNS queries sent in plaintext? | Configure DoH/DoT, use a VPN |
| Config files | Are .env or key files in your repository? | .gitignore + git-secrets |
Wrapping Up
Developer information leaks usually happen not through attacks but through your own configuration oversights. The email in Git commits, npm metadata, WHOIS records showing your home address — none of these were intended to be public, yet they are.
Each fix takes under five minutes. Change your Git email to noreply, enable WHOIS privacy protection, and configure encrypted DNS. These three steps alone dramatically reduce your personal information exposure.
If DNS query leaks or public WiFi interception concern you, NordVPN encrypts DNS requests along with all other traffic — the most comprehensive solution.