ClearedToShip
Get cleared
critical

How to secure your environment variables and secrets

The problem

AI-built apps routinely leak secrets by putting them in client-side env vars, committing .env files, or exposing them in the bundle. Anything in the browser is public — secrets must live server-side only.

Step by step

  1. 1

    Know which vars are public

    Prefixes like NEXT_PUBLIC_, VITE_, or REACT_APP_ ship to the browser. Never put a real secret behind a public prefix — only non-sensitive config.

  2. 2

    Keep secrets server-side

    Store API secrets, service-role keys and tokens in server-only environment variables and access them only from server code or serverless functions.

  3. 3

    Ignore and purge .env files

    Add .env and .env*.local to .gitignore. If a secret was ever committed, rotate it and purge it from git history — it persists in old commits otherwise.

  4. 4

    Scan and verify

    Scan your deployed bundle and repository for exposed keys, and rotate anything that leaked.

Related:Is Replit safe?Is Bolt safe?Is Convex safe?Is Appwrite safe?

Want it verified, not just fixed?

Fixing it is step one. A ClearedToShip review confirms the fix actually holds and gives you a signed, insured clearance to launch. Join early access:

Free launch-readiness scan
Get my free scan