ENVIRONMENT VARIABLES SECURITY FOR AI-GENERATED APPS | VIBEEVAL

AI Often Hardcodes Secrets

AI code generators frequently embed API keys directly in source code or commit .env files to git. These secrets end up public on GitHub, leading to stolen credentials, unauthorized access, and massive cloud bills within hours of deployment.

Environment Variables Security Checklist

Follow these 12 steps to secure your secrets. Critical items prevent immediate credential theft and unauthorized access.

Never commit secrets to git

Add .env files to .gitignore and verify no API keys, tokens, or passwords are in version control history.

Use platform secret managers

Store secrets in Vercel, Netlify, or Railway’s encrypted environment variable systems instead of plain text files.

Separate dev and prod secrets

Use different API keys and credentials for development, staging, and production environments.

Prefix client-side variables

Use NEXT_PUBLIC_, VITE_, or REACT_APP_ prefixes intentionally and understand these are exposed to browsers.

Rotate secrets regularly

Implement a rotation schedule for API keys, database passwords, and authentication tokens every 90 days.

Audit environment variable access

Review which team members and services can read production secrets and follow least privilege principle.

Validate required variables

Check all required environment variables are set at application startup and fail fast with clear error messages.

Use secret scanning tools

Enable GitHub secret scanning or GitGuardian to detect accidentally committed secrets in real-time.

Document environment variables

Maintain an .env.example file with all required variables and descriptions without actual secret values.

Encrypt secrets in CI/CD

Use GitHub Actions secrets or encrypted environment variables for deployment pipelines, never plain text.

Set up secret expiration alerts

Configure notifications for expiring SSL certificates, API keys, and OAuth tokens before they break production.

Review build logs for leaks

Ensure CI/CD build logs do not print environment variables or secrets during deployment processes.

Common Environment Variable Mistakes

Hardcoded API Keys

API keys and secrets directly in source code instead of environment variables, visible to anyone with repository access.

Client-Side Secret Exposure

Server-only secrets prefixed with NEXT_PUBLIC_ or VITE_, leaking private API keys to all website visitors.

Committed .env Files

.env files with real credentials committed to git, exposing production secrets in repository history.

Shared Dev/Prod Credentials

Using the same database password or API keys across all environments, amplifying breach impact.

Related Resources

Vercel Security Guide

Vercel-specific environment variable encryption

Netlify Security Guide

Netlify environment variable best practices

CI/CD Security Guide

Secure secrets in GitHub Actions pipelines

Code Security Scanning

Detect hardcoded secrets in your codebase

Scan for Exposed Secrets

VibeEval automatically detects hardcoded API keys, committed .env files, and client-side secret exposure in AI-generated code. Find credential leaks before attackers do.