[{"data":1,"prerenderedAt":243},["ShallowReactive",2],{"blog-checklists/environment-variables-checklist":3},{"id":4,"title":5,"body":6,"category":220,"date":221,"dateModified":221,"description":222,"draft":223,"extension":224,"faq":225,"featured":223,"headerVariant":228,"image":229,"keywords":229,"meta":230,"navigation":231,"ogDescription":232,"ogTitle":229,"path":233,"readTime":229,"schemaOrg":234,"schemaType":235,"seo":236,"sitemap":237,"stem":238,"tags":239,"twitterCard":241,"__hash__":242},"blog/blog/checklists/environment-variables-checklist.md","Environment Variables Security Checklist: 23-Item Guide",{"type":7,"value":8,"toc":214},"minimark",[9,16,19,22,47,66,80,98,115,134,153,158,161,183,202],[10,11,12],"tldr",{},[13,14,15],"p",{},"Add all .env files to .gitignore. Never use NEXT_PUBLIC_ or VITE_ prefix for secrets. Set production variables in your hosting platform, not in files. Use different values for development and production. If a secret is committed, consider it compromised and rotate it. 7 critical items must be fixed before launch, 10 important items within the first week, and 6 recommended items when you can.",[13,17,18],{},"Env vars seem simple, but they are one of the most common sources of security incidents. One wrong prefix and your secret key ships to the browser. One missing gitignore entry and your credentials end up on GitHub for the world to see. This checklist catches the mistakes that trip up even experienced developers.",[20,21],"print-button",{},[23,24,26,31,35,39,43],"checklist-section",{"title":25},"Quick Checklist (5 Critical Items)",[27,28],"checklist-item",{"description":29,"label":30},"Base .env file should not be committed",".env in .gitignore",[27,32],{"description":33,"label":34},"NEXT_PUBLIC_, VITE_, REACT_APP_ expose to browser","Secrets don't have public prefixes",[27,36],{"description":37,"label":38},"Vercel, Railway, Render environment settings","Production secrets set in hosting platform",[27,40],{"description":41,"label":42},"If committed, consider it compromised and rotate","No secrets in git history",[27,44],{"description":45,"label":46},"Database URLs, auth secrets, API keys should be server-only","API keys don't have public prefixes",[23,48,51,54,58,62],{"title":49,"count":50},".gitignore Configuration","4",[27,52],{"description":53,"label":30},"Base .env file should not be committed. How to secure .env files",[27,55],{"description":56,"label":57},"Local environment overrides should not be committed. How to secure .env files",".env.local in .gitignore",[27,59],{"description":60,"label":61},"Production secrets should never be in version control. How to secure .env files",".env.production in .gitignore",[27,63],{"description":64,"label":65},"Template file with placeholder values for documentation. How to create .env.example",".env.example committed (without real values)",[23,67,70,73,76],{"title":68,"count":69},"Client vs Server Variables","3",[27,71],{"description":72,"label":34},"NEXT_PUBLIC_, VITE_, REACT_APP_ expose to browser. How to separate client/server keys",[27,74],{"description":75,"label":46},"Database URLs, auth secrets, API keys should be server-only. How to secure API keys",[27,77],{"description":78,"label":79},"Analytics IDs, public API URLs, feature flags are okay. How to categorize config","Only public config uses public prefixes",[23,81,83,86,90,94],{"title":82,"count":50},"Production Configuration",[27,84],{"description":85,"label":38},"Vercel, Railway, Render environment settings. How to configure env variables",[27,87],{"description":88,"label":89},"Use platform's secret management, not files. How to deploy env variables","No .env files deployed to production",[27,91],{"description":92,"label":93},"Don't use production keys in development. How to manage API keys","Different values for dev/staging/production",[27,95],{"description":96,"label":97},".env.example lists all needed variables. How to document env variables","All required variables documented",[23,99,101,104,107,111],{"title":100,"count":50},"Secret Hygiene",[13,102,103],{},"::checklist-item{label=\"No secrets in code comments\" description=\"Don't leave \"old\" API keys commented out. How to review code for secrets\"}\n::",[27,105],{"description":106,"label":42},"If committed, consider it compromised and rotate. How to rotate secrets",[27,108],{"description":109,"label":110},"Don't log environment variables in your app. How to secure logging","Secrets not logged",[27,112],{"description":113,"label":114},"Error handling shouldn't expose connection strings. How to handle errors securely","Secrets not in error messages",[23,116,118,122,126,130],{"title":117,"count":50},"Framework-Specific Checks",[27,119],{"description":120,"label":121},"Server components can access non-prefixed vars. How to use Next.js env variables","Next.js: NEXT_PUBLIC_ only for public data",[27,123],{"description":124,"label":125},"Use server-side endpoints for secrets. How to use Vite env variables","Vite: VITE_ only for public data",[27,127],{"description":128,"label":129},"CRA apps need a backend for secrets. How to use CRA env variables","Create React App: REACT_APP_ only for public",[27,131],{"description":132,"label":133},"Production should use real env vars, not files. How to use Node.js env variables","Node.js: dotenv only in development",[23,135,137,141,145,149],{"title":136,"count":50},"What To Do If Secrets Are Leaked",[27,138],{"description":139,"label":140},"Generate new key/password/token in the service dashboard. How to rotate secrets","Immediately rotate the secret",[27,142],{"description":143,"label":144},"Deploy with the new value before revoking old one. How to deploy env variables","Update production with new secret",[27,146],{"description":147,"label":148},"Review logs for suspicious activity during exposure. How to audit API usage","Check for unauthorized usage",[27,150],{"description":151,"label":152},"It's still in forks/clones - just rotate the secret. How to respond to secret leaks","Don't try to remove from git history",[154,155,157],"h2",{"id":156},"how-to-use-this-checklist","How to Use This Checklist",[13,159,160],{},"Go through each section to ensure your environment variables are properly secured. The most common mistake is using public prefixes for secrets, which exposes them in the browser bundle.",[162,163,164,171,177],"faq-section",{},[165,166,168],"faq-item",{"question":167},"What happens if I accidentally commit a secret?",[13,169,170],{},"Consider it compromised immediately. Rotate the secret by generating a new one in the service's dashboard, update your production environment with the new secret, then revoke the old one. Don't waste time trying to remove it from git history.",[165,172,174],{"question":173},"How do I know if a variable is exposed to the browser?",[13,175,176],{},"Check your framework's documentation. In Next.js, NEXT_PUBLIC_ prefixed variables are exposed. In Vite, VITE_ prefixed ones are. In Create React App, REACT_APP_ prefixed ones are. Any variable with these prefixes will be bundled into your client-side code.",[165,178,180],{"question":179},"Should I use a secrets manager?",[13,181,182],{},"For most small to medium projects, your hosting platform's environment variable management is sufficient. Consider dedicated secrets managers like HashiCorp Vault or AWS Secrets Manager when you need advanced features like automatic rotation, audit logging, or cross-service secret sharing.",[184,185,186,192,197],"related-articles",{},[187,188],"related-card",{"description":189,"href":190,"title":191},"Step-by-step guide to hiding your keys","/blog/how-to/secure-api-keys","How to Secure API Keys",[187,193],{"description":194,"href":195,"title":196},"Security checks before going live","/blog/checklists/pre-deployment-security-checklist","Pre-Deployment Checklist",[187,198],{"description":199,"href":200,"title":201},"Complete security guide for Cursor projects","/blog/guides/cursor","Cursor Security Guide",[203,204,207,211],"cta-box",{"href":205,"label":206},"/","Start Free Scan",[154,208,210],{"id":209},"scan-for-exposed-secrets","Scan for Exposed Secrets",[13,212,213],{},"Our scanner checks for hardcoded API keys, misconfigured environment variables, and exposed secrets.",{"title":215,"searchDepth":216,"depth":216,"links":217},"",2,[218,219],{"id":156,"depth":216,"text":157},{"id":209,"depth":216,"text":210},"checklists","2026-01-27","Complete environment variables security checklist. .env file handling, production secrets, build-time vs runtime variables, and common mistakes to avoid.",false,"md",[226,227],{"question":167,"answer":170},{"question":173,"answer":176},"green",null,{},true,"Complete env vars security checklist. .env files, production secrets, mistakes.","/blog/checklists/environment-variables-checklist","[object Object]","HowTo",{"title":5,"description":222},{"loc":233},"blog/checklists/environment-variables-checklist",[240],"Security Checklist","summary_large_image","wAMKpm8naFXYEP2nywMrjkH01FtM5tLBOVdVBDxgHJ8",1775843931535]