Configuration

Secure Configuration Files with AI Prompts

January 2026AI Fix Prompts
Share

TL;DR

These prompts help you secure configuration files by separating secrets from non-sensitive config, adding validation, preventing accidental commits, and ensuring proper access controls. Keep your config clean and your secrets safe.

Audit and Secure Config Files

Use this prompt to audit your configuration and separate secrets:

Config Security Audit

Audit my configuration files for security issues.

Find and review:

  1. All config files (*.config.js, *.json, *.yaml, *.toml)
  2. Any hardcoded secrets in configuration
  3. Configuration that should vary by environment

For each config file:

  1. Identify any sensitive values that should be env vars
  2. Check if the file is in .gitignore (if it should be)
  3. Suggest a separation between public config and secrets

Create:

  1. A public config file (can be committed) with non-sensitive defaults
  2. Environment variable references for all secrets
  3. A config validation schema to catch missing values at startup
  4. Documentation of required vs optional configuration

Framework-Specific Config Security

Next.js Configuration

Next.js Config Security

Secure my Next.js configuration files.

Review and fix:

  1. next.config.js - ensure no secrets are exposed
  2. Check for secrets in publicRuntimeConfig (exposed to client!)
  3. Verify serverRuntimeConfig is used for server-only secrets
  4. Audit any custom config files

Create:

  1. A secure config/index.ts that loads env vars
  2. Proper separation of client-safe vs server-only config
  3. Validation that fails at build time if config is missing
  4. TypeScript types for all configuration values

Make sure NEXT_PUBLIC_ vars don't contain anything secret.

Node.js Config

Node.js Config Security

Create a secure configuration system for my Node.js application.

Requirements:

  1. Separate config from secrets completely
  2. Use environment variables for all secrets
  3. Allow config files for non-sensitive settings
  4. Support different environments (dev, staging, prod)
  5. Validate all config at startup

Structure:

  • config/default.js (non-sensitive defaults, committed)
  • config/env.js (environment overrides, committed)
  • .env files (secrets, NOT committed)

The system should:

  • Merge config files with env var overrides
  • Type-check configuration values
  • Fail fast with clear errors for missing required values
  • Never log sensitive values

Config Validation

Config Validation Schema

Create a configuration validation system using Zod (or similar).

For my project's configuration:

  1. Define a schema for all config values
  2. Include types (string, number, boolean, url, email)
  3. Mark which values are required vs optional
  4. Add default values where appropriate
  5. Include custom validation (valid URLs, proper formats)

The validation should:

  • Run at application startup
  • Provide clear error messages for missing/invalid values
  • Transform values where needed (string to number)
  • Export typed configuration object

Example config structure:

  • Database: URL, pool size, SSL mode
  • Auth: JWT secret, session duration, OAuth credentials
  • API: rate limits, timeouts, external service URLs
  • Features: feature flags and toggles

Never commit config files with real secrets: Even if you plan to change them later, secrets in git history can be extracted. Use .env files and .gitignore from the start.

Prevent Config Exposure

Config Exposure Prevention

Help me prevent configuration files from being exposed.

Check for:

  1. Config files accessible via web (/.env, /config.json)
  2. Source maps that might expose config
  3. Error messages that leak configuration
  4. API endpoints that return config values

Implement:

  1. Proper .gitignore for all sensitive config
  2. Server rules to block access to config files
  3. Error handling that doesn't expose secrets
  4. Audit logging for config access

For deployment platforms:

  • Vercel: check vercel.json for exposed routes
  • Netlify: review _redirects and _headers
  • AWS: check S3 bucket policies

Pro tip: Use a config management tool or library like convict (Node.js) or dynaconf (Python) that enforces validation and makes it easy to separate secrets from config.

Should config files ever be committed to git?

Non-sensitive configuration (feature flags, timeouts, public URLs) can be committed. Anything containing secrets, credentials, or API keys should never be committed.

How do I handle config for different environments?

Use environment variables that differ per deployment, combined with committed base config files. Never commit environment-specific secrets.

What's the difference between config and secrets?

Config is non-sensitive settings (timeouts, feature flags, public URLs). Secrets are credentials, API keys, and anything that would cause harm if exposed.

Related Articles

Move to Environment Variables

Proper env var setup

Add Proper .gitignore

Prevent config commits

Remove Hardcoded Secrets

Clean up your code

Audit Your Config Files

Scan your repository to find exposed configuration and secrets.

Start Free Scan
AI Fix Prompts

Secure Configuration Files with AI Prompts