When you are focused on writing code, it is easy to overlook where your personal information is leaking. But in practice, Git commit history, npm package metadata, domain WHOIS records, and other developer-specific channels expose personal data without you realizing it.
This article covers five ways developers unintentionally leak personal information and the specific fix for each.
Leak 1: Git Commit Email Addresses
Run git log and you see every committer's email address. On a public GitHub repository, anyone in the world can read it.
git log --format='%ae' | sort -u
This command lists every unique email address in the repository's commit history.
Fix: Use GitHub's Noreply Email
GitHub provides each user with a noreply email address in the format ID+username@users.noreply.github.com (where ID is your GitHub numeric ID). You can find it under Settings → Emails.
git config --global user.email "123456+username@users.noreply.github.com"
In GitHub settings, enable "Keep my email addresses private" to use the noreply address for web-based operations too. Enable "Block command line pushes that expose my email" to reject pushes that contain your personal email.
Leak 2: npm Package Metadata
When you publish a package to npm, the author field in package.json and your .npmrc settings can expose your email. The npm registry API makes this available to anyone.
curl -s https://registry.npmjs.org/package-name | jq '.maintainers'
Fix: Control Public Information
Do not put your personal email in package.json's author field.
{
"author": "username"
}
Always enable npm 2FA. This is essential not just for privacy but for preventing package takeover (supply chain attacks).
Consider using GitHub's noreply email for your npm account, or set up a separate email address for public-facing development work.
Leak 3: Domain WHOIS Records
When you register a domain, WHOIS records publish the registrant's name, address, phone number, and email. A developer who registers a domain for a portfolio site or personal blog can end up with their home address publicly available worldwide.
Fix: Use WHOIS Privacy Protection
Most registrars offer WHOIS privacy protection (also called proxy registration). The registrar's information is displayed instead of yours.
| Registrar | WHOIS Privacy |
|---|---|
| Cloudflare Registrar | Free (enabled by default) |
| Google Domains (Squarespace) | Free (enabled by default) |
| Namecheap | Free (WhoisGuard) |
Cloudflare Registrar enables WHOIS privacy automatically at registration. No extra steps needed.
Leak 4: DNS Query Exposure
Your ISP can see every website you visit through DNS queries. Even though HTTPS encrypts the content of your communication, DNS requests are sent in plaintext by default.
For developers, this matters because:
- Domains of external APIs used in confidential projects are visible to your ISP
- Competitor research shows up in ISP logs
- DNS queries can be intercepted on public WiFi
Fix: Use Encrypted DNS and a VPN
DNS over HTTPS (DoH) or DNS over TLS (DoT) encrypts your DNS queries.
# /etc/systemd/resolved.conf (Linux)
[Resolve]
DNS=1.1.1.1#cloudflare-dns.com
DNSOverTLS=yes
Browsers can also enable DoH independently. In Firefox, look for "DNS over HTTPS" in settings.
However, DoH alone does not hide IP-level connection destinations from your ISP. To hide both DNS queries and IP addresses, you need a VPN.
NordVPN routes DNS requests through the VPN tunnel, so your ISP only sees the connection to the VPN server. It also provides a DNS leak test tool.
Leak 5: Development Configuration Files
.env files, .gitconfig, SSH configuration, cloud credential files. Development environments are scattered with sensitive data.
If these are not in .gitignore, or if you publish a dotfiles repository without sanitizing it, API keys and database URLs are exposed.
Fix: Manage Secrets Systematically
Lock down .gitignore. Start with GitHub's .gitignore templates and add project-specific files.
# .gitignore
.env
.env.*
*.pem
credentials.json
git-secrets can automatically check for AWS keys and API tokens before each commit.
git secrets --install
git secrets --register-aws
If you manage dotfiles in a public repository, exclude files containing secrets or templatize them before publishing. Do not push .gitconfig with your email or shell config files containing API tokens as-is.
Checklist
Here is a summary of all the fixes.
| Leak | What to check | Fix |
|---|---|---|
| Git | Does git log show your personal email? | Switch to noreply email |
| npm | Does package.json contain personal info? | Remove email from author, enable 2FA |
| WHOIS | Does your domain's WHOIS show your home address? | Enable WHOIS privacy protection |
| DNS | Are DNS queries sent in plaintext? | Configure DoH/DoT, use a VPN |
| Config files | Are .env or key files in your repository? | .gitignore + git-secrets |
For VPN recommendations tailored to development work, see our Developer VPN Guide. If you manage VPSes, our SSH Security Hardening Guide walks through key auth and firewall setup. And if IP-level privacy is a concern, check What Does Your IP Address Reveal? How to Hide It.
FAQ
Can someone find my real email from GitHub?
Yes. Every commit records the author's email in git log. If you have ever pushed a commit with your personal email to a public repository, it is permanently visible unless you rewrite the history. Switch to GitHub's noreply email and enable "Block command line pushes that expose my email" to prevent future leaks.
Is WHOIS privacy protection legal?
Yes. WHOIS privacy (or proxy registration) is a legitimate service offered by most registrars. ICANN allows registrants to use privacy services. After GDPR took effect in 2018, many registrars started redacting personal data from WHOIS by default for EU registrants.
Does DNS over HTTPS hide everything from my ISP?
No. DoH encrypts DNS queries, so your ISP cannot see which domain names you are resolving. However, your ISP can still see the IP addresses you connect to. To hide both DNS queries and connection destinations, you need a VPN that routes all traffic through an encrypted tunnel.
Should I use a separate email for development?
It depends on your threat model. At minimum, use GitHub's noreply email for commits and npm. If you publish packages, contribute to open-source projects, or register domains, a dedicated development email keeps your personal inbox separate from publicly visible addresses.
How do I check if my API keys have already been leaked?
Run git log -p | grep -E "(AKIA|sk-|ghp_|npm_)" to scan your local history for common key patterns. GitHub Secret Scanning automatically checks public repositories and alerts you if it finds known token formats. For a pre-commit guard, install git-secrets to block commits containing AWS credentials or custom patterns you define.
Does a VPN protect against all DNS leaks?
Not all VPNs handle DNS correctly. Some route DNS queries outside the tunnel, which defeats the purpose. NordVPN routes DNS through the VPN tunnel and provides a DNS leak test so you can verify. Always test after connecting.
Wrapping Up
Developer information leaks usually happen not through attacks but through your own configuration oversights. The email in Git commits, npm metadata, WHOIS records showing your home address — none of these were intended to be public, yet they are.
Each fix takes under five minutes. Change your Git email to noreply, enable WHOIS privacy protection, and configure encrypted DNS. These three steps alone dramatically reduce your personal information exposure.
If DNS query leaks or public WiFi interception concern you, NordVPN encrypts DNS requests along with all other traffic — the most comprehensive solution.
The world's leading VPN — fast, secure, and easy to use
- 6,400+ servers across 111 countries
- NordLynx protocol (WireGuard-based)
- Threat Protection Pro (ads & malware blocking)
Related articles: