// SECURITY GUIDE · JAVASCRIPT SECRETS
JavaScript Secrets
// WHAT IT IS
Modern JavaScript bundlers (webpack, Turbopack, Vite) inline environment variables directly into your front-end code. Anything prefixed NEXT_PUBLIC_, VITE_, or REACT_APP_ ends up readable by anyone who opens DevTools or downloads your JS bundle. We scan your public bundles for known secret patterns.
// WHAT WE SCAN FOR
[CRITICAL]
Stripe Secret Key: sk_live_... in client code = full Stripe account access
[CRITICAL]
AWS Access Key: AKIA... = full AWS console access if IAM is misconfigured
[CRITICAL]
Private Key PEM: -----BEGIN PRIVATE KEY----- in a JS bundle
[HIGH]
SendGrid API Key: SG.xxx.xxx = send emails as your domain
[MEDIUM]
Supabase Anon Key: Public by design, but requires RLS to be safe
[INFO]
Firebase API Key: Public by design, but requires Security Rules
// HOW TO FIX: NEXT.JS
# .env.local — NEVER use NEXT_PUBLIC_ for secrets
STRIPE_SECRET_KEY=sk_live_... ✓ server-only
NEXT_PUBLIC_STRIPE_KEY=pk_live_... ✓ safe to expose
# Access secrets only in API routes / server components
// app/api/checkout/route.ts
const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!)
// ↑ no NEXT_PUBLIC_ = server only