diff --git a/.env.example b/.env.example
index da4796f2..835d12e6 100644
--- a/.env.example
+++ b/.env.example
@@ -1,8 +1,13 @@
 APP_NAME=OpenKab
 APP_ENV=development
-APP_KEY=base64:4J2thsoUyMyPvi0K7KNlqj4aiKCnyUisCcqZswPkAwI=
+APP_KEY=
 APP_DEBUG=false
-APP_URL=http://devopenkab.opendesa.id/
+APP_URL=http://localhost/
+
+# SECURITY NOTE: 
+# - Jangan commit file .env ke repository (sudah ada di .gitignore)
+# - Ganti semua credential default sebelum deploy production
+# - File ini hanya untuk referensi dan testing, bukan untuk production
 
 LOG_CHANNEL=daily
 LOG_DEPRECATIONS_CHANNEL=null
@@ -12,18 +17,22 @@ LOG_LEVEL=debug
 DB_CONNECTION=mysql
 
 # database utama aplikasi OpenKab
+# Default values untuk testing (GitHub Actions)
+# PENTING: Ganti dengan credential yang aman untuk production!
 DB_HOST=127.0.0.1
 DB_PORT=3306
-DB_DATABASE=testing_db
-DB_USERNAME=root
-DB_PASSWORD=secret
+DB_DATABASE=
+DB_USERNAME=
+DB_PASSWORD=
 
 # database kedua, opensid database gabungan
+# Default values untuk testing (GitHub Actions)
+# PENTING: Ganti dengan credential yang aman untuk production!
 OPENKAB_DB_HOST=127.0.0.1
 OPENKAB_DB_PORT=3306
-OPENKAB_DB_DATABASE=testing_gabungan_db
-OPENKAB_DB_USERNAME=root
-OPENKAB_DB_PASSWORD=secret
+OPENKAB_DB_DATABASE=
+OPENKAB_DB_USERNAME=
+OPENKAB_DB_PASSWORD=
 
 BROADCAST_DRIVER=log
 CACHE_DRIVER=file
@@ -100,8 +109,8 @@ OTP_RESEND_MAX_ATTEMPTS=2
 OTP_RESEND_DECAY_SECONDS=30
 
 # Telegram Bot Configuration
-TELEGRAM_BOT_TOKEN=your_telegram_bot_token_here
-TELEGRAM_BOT_NAME=@your_bot_username_here
+TELEGRAM_BOT_TOKEN=
+TELEGRAM_BOT_NAME=
 
 # Global Rate Limiter Configuration
 RATE_LIMITER_ENABLED=false
diff --git a/.github/workflows/fresh-install-test.yml b/.github/workflows/fresh-install-test.yml
index 8c8985a5..6c41b690 100644
--- a/.github/workflows/fresh-install-test.yml
+++ b/.github/workflows/fresh-install-test.yml
@@ -50,4 +50,7 @@ jobs:
         DB_DATABASE: testing_db
         DB_USERNAME: root
         DB_PASSWORD: secret
-      run: php artisan migrate --seed && php artisan test
+        OPENKAB_DB_DATABASE: testing_gabungan_db
+        OPENKAB_DB_USERNAME: root
+        OPENKAB_DB_PASSWORD: secret
+      run: php artisan key:generate && php artisan migrate --seed && php artisan test
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 6b976314..438f586d 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -58,5 +58,8 @@ jobs:
         DB_DATABASE: testing_db
         DB_USERNAME: root
         DB_PASSWORD: secret
+        OPENKAB_DB_DATABASE: testing_gabungan_db
+        OPENKAB_DB_USERNAME: root
+        OPENKAB_DB_PASSWORD: secret
 
-      run: php artisan migrate && php artisan test
+      run: php artisan key:generate && php artisan migrate && php artisan test
diff --git a/public/.htaccess b/public/.htaccess
index 2106ca4f..49447f19 100644
--- a/public/.htaccess
+++ b/public/.htaccess
@@ -5,6 +5,10 @@
 
     RewriteEngine On
 
+    # Block access to dotfiles (including .env)
+    RewriteCond %{REQUEST_URI} ^/\.env [NC]
+    RewriteRule ^ - [R=404,L]
+
     # Handle Authorization Header
     RewriteCond %{HTTP:Authorization} .
     RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
@@ -29,3 +33,17 @@
     Order Allow,Deny
     Allow from all
 </Files>
+
+# Block direct access to .env and other dotfiles
+<FilesMatch "^\.env">
+    Require all denied
+</FilesMatch>
+
+# Fallback for Apache 2.2
+<IfModule !mod_authz_core.c>
+    <FilesMatch "^\.env">
+        order allow,deny
+        deny from all
+        Satisfy All
+    </FilesMatch>
+</IfModule>