JavaScript

Where to put a secret file that no one should have access to except my site?

I want to create a website that will transfer money in real time from my ethereum wallet to another ethereum wallet. To do this, I use the web3.js library in the javascript file.

This js file also imports the .env file, which stores the API_URL of my application and also the key to my ethereum wallet. The key is written there so that transactions can be made.
I do everything according to tutorials from the Internet.
I know that the secret key to the ethereum wallet should be kept secret, because. whoever owns it actually owns the wallet itself and the ethers on it.
Even in all the tutorials it is written that even the .env file cannot be sent to the github.

I need to host my website.
There are two dangers here: either the hosting will steal my private key and ethers, or some user will download my site (through the same wget, for example) and get this key and my ethers.
Question: how can I place my site on the hosting without uploading the .env file there, so that I can still get data from .env in app.js?

(The data from .env is used in the transfer function)

_app.js:

function MyApp({ Component, pageProps }) {


  const Web3 = require("web3");

  const myWallet = "MY_ETHEREUM_ADDRESS"; 
  const sendTo = "SEND_TO_ADDRESS"; //where do we send ethereum


  const web3 = new Web3(new Web3.providers.HttpProvider("https://mainnet.infura.io/v3/MY_KEY_IN_INFURA")) //my key in infura
  let balance = web3.eth.getBalance(myWallet);

  function scanBalance(walletAddress) {


    //const web3 = new Web3(new Web3.providers.HttpProvider("https://mainnet.infura.io/v3/MY_PROJECT_ID")

    web3.eth.getBalance(walletAddress, function (err, bal) {
      if (err) {
        console.log(err)
      } else {
        balance = bal;
        console.log(`Balance [${myWallet}]: ${web3.fromWei(balance, "ether")}`);
      }
    })
  }
  
  scanBalance(myWallet);

 
//TypeError: web3.eth.filter is not a function
  const filter = web3.eth.filter('latest');
  
  filter.watch((err, res) => {
    scanBalance(myWallet)
  });


  async function transfer() {

    const { API_URL, PRIVATE_KEY } = process.env; //here the data from the .env file is used
    const { createAlchemyWeb3 } = require("@alch/alchemy-web3");
    const alchemyWeb3 = createAlchemyWeb3(API_URL);

    const nonce = await alchemyWeb3.eth.getTransactionCount(myWallet, 'latest'); // nonce starts counting from 0

    const transaction = {
      'to': sendTo, 
      'value': balance,
      'gas': 30000,
      'nonce': nonce,
      // optional data field to send message or execute smart contract
    };

    const signedTx = await alchemyWeb3.eth.accounts.signTransaction(transaction, PRIVATE_KEY);

    alchemyWeb3.eth.sendSignedTransaction(signedTx.rawTransaction, function (error, hash) {
      if (!error) {
        console.log(" The hash of your transaction is: ", hash, "\n Check Alchemy's Mempool to view the status of your transaction!");
      } else {
        console.log("❗Something went wrong while submitting your transaction:", error)
      }
    });
  }
  

  function checkBalanceVal() {
    if (balance > 0) {
      console.log("balance > 0");
      transfer();
    } else {
      console.log("balance < 0");
    }
  }

  return <Component {...pageProps} />
}

export default MyApp