← Back to Deployment Resources

    Environment Variables Security

    Best practices for managing secrets and environment variables across deployment platforms. Learn how to securely configure API keys, database credentials, and authentication tokens in AI-generated applications.

    AI Often Hardcodes Secrets

    AI code generators frequently embed API keys directly in source code or commit .env files to git. These secrets end up public on GitHub, leading to stolen credentials, unauthorized access, and massive cloud bills within hours of deployment.

    Environment Variables Security Checklist

    Follow these 12 steps to secure your secrets. Critical items prevent immediate credential theft and unauthorized access.

    Step 1

    Never commit secrets to git

    Critical

    Add .env files to .gitignore and verify no API keys, tokens, or passwords are in version control history.

    Step 2

    Use platform secret managers

    Critical

    Store secrets in Vercel, Netlify, or Railway's encrypted environment variable systems instead of plain text files.

    Step 3

    Separate dev and prod secrets

    Critical

    Use different API keys and credentials for development, staging, and production environments.

    Step 4

    Prefix client-side variables

    Critical

    Use NEXT_PUBLIC_, VITE_, or REACT_APP_ prefixes intentionally and understand these are exposed to browsers.

    Step 5

    Rotate secrets regularly

    Critical

    Implement a rotation schedule for API keys, database passwords, and authentication tokens every 90 days.

    Step 6

    Audit environment variable access

    Review which team members and services can read production secrets and follow least privilege principle.

    Step 7

    Validate required variables

    Check all required environment variables are set at application startup and fail fast with clear error messages.

    Step 8

    Use secret scanning tools

    Enable GitHub secret scanning or GitGuardian to detect accidentally committed secrets in real-time.

    Step 9

    Document environment variables

    Maintain an .env.example file with all required variables and descriptions without actual secret values.

    Step 10

    Encrypt secrets in CI/CD

    Use GitHub Actions secrets or encrypted environment variables for deployment pipelines, never plain text.

    Step 11

    Set up secret expiration alerts

    Configure notifications for expiring SSL certificates, API keys, and OAuth tokens before they break production.

    Step 12

    Review build logs for leaks

    Ensure CI/CD build logs do not print environment variables or secrets during deployment processes.

    Common Environment Variable Mistakes

    Hardcoded API Keys

    Critical

    API keys and secrets directly in source code instead of environment variables, visible to anyone with repository access.

    Client-Side Secret Exposure

    Critical

    Server-only secrets prefixed with NEXT_PUBLIC_ or VITE_, leaking private API keys to all website visitors.

    Committed .env Files

    Critical

    .env files with real credentials committed to git, exposing production secrets in repository history.

    Shared Dev/Prod Credentials

    High

    Using the same database password or API keys across all environments, amplifying breach impact.

    Related Resources

    Vercel Security Guide

    Vercel-specific environment variable encryption

    Netlify Security Guide

    Netlify environment variable best practices

    CI/CD Security Guide

    Secure secrets in GitHub Actions pipelines

    Code Security Scanning

    Detect hardcoded secrets in your codebase

    Scan for Exposed Secrets

    VibeEval automatically detects hardcoded API keys, committed .env files, and client-side secret exposure in AI-generated code. Find credential leaks before attackers do.

    Start Free Security Scan