diff --git a/doc/production-hosting.md b/doc/production-hosting.md
index 3ea4c4641de9979a9b308e23851c47ad730c07ed..641056fd94aa467daf16fff9ec58c8073a62d829 100644
--- a/doc/production-hosting.md
+++ b/doc/production-hosting.md
@@ -90,8 +90,6 @@ files:
 [shields-io-production.yml]: ../config/shields-io-production.yml
 [default.yml]: ../config/default.yml
 
-The project ships with `dotenv`, however there is no `.env` in production.
-
 ## Badge CDN
 
 Sitting in front of the three servers is a Cloudflare Free account which
diff --git a/package-lock.json b/package-lock.json
index 93033dd7cbc22b42aa7ee7f22bce9d1aec763828..244e4763859f6c3aac6bae559f84371f121a4249 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -14096,7 +14096,8 @@
     "dotenv": {
       "version": "8.2.0",
       "resolved": "https://registry.npmjs.org/dotenv/-/dotenv-8.2.0.tgz",
-      "integrity": "sha512-8sJ78ElpbDJBHNeBzUbUVLsqKdccaa/BXF1uPTw3GrvQTBgrQrtObr2mUrE38vzYd8cEv+m/JBfDLioYcfXoaw=="
+      "integrity": "sha512-8sJ78ElpbDJBHNeBzUbUVLsqKdccaa/BXF1uPTw3GrvQTBgrQrtObr2mUrE38vzYd8cEv+m/JBfDLioYcfXoaw==",
+      "dev": true
     },
     "duplexer": {
       "version": "0.1.1",
diff --git a/package.json b/package.json
index c1e2cfb4c76873f2433fecd6e0e0b6262e008ee7..94f86b91e143b80a1e46fc0f490ee47ee05ff844 100644
--- a/package.json
+++ b/package.json
@@ -33,7 +33,6 @@
     "config": "^3.3.2",
     "cross-env": "^7.0.2",
     "decamelize": "^3.2.0",
-    "dotenv": "^8.2.0",
     "emojic": "^1.1.16",
     "escape-string-regexp": "^4.0.0",
     "fast-xml-parser": "^3.17.4",
diff --git a/server.js b/server.js
index cb7055612a0c40ae084beeccfac85733edc3cc42..7eb2bbc6f8f13651b27ef6872371374126021fd7 100644
--- a/server.js
+++ b/server.js
@@ -4,8 +4,6 @@
 const fs = require('fs')
 const path = require('path')
 
-require('dotenv').config()
-
 // Set up Sentry reporting as early in the process as possible.
 const config = require('config').util.toObject()
 const Sentry = require('@sentry/node')
@@ -37,6 +35,13 @@ if (process.argv[3]) {
 console.log('Configuration:')
 console.dir(config.public, { depth: null })
 
+if (fs.existsSync('.env')) {
+  console.error(
+    'Legacy .env file found. It should be deleted and replaced with environment variables or config/local.yml'
+  )
+  process.exit(1)
+}
+
 const legacySecretsPath = path.join(__dirname, 'private', 'secret.json')
 if (fs.existsSync(legacySecretsPath)) {
   console.error(