TL;DR
Hardcoded credentials are passwords, API keys, or secrets written directly in your source code. Once pushed to a repo (even private), they are nearly impossible to fully remove. Use environment variables and secret managers instead. If you have exposed credentials, rotate them immediately.
Why This Happens
When vibe coding, it is tempting to paste an API key directly into your code to test something quickly. You plan to fix it later, but then you commit and push. Now that secret is in your git history forever.
// All of these are dangerous
const apiKey = "sk-1234567890abcdef";
const password = "admin123";
const dbUrl = "postgres://user:password@host/db";
// Firebase config with real keys
const firebaseConfig = {
apiKey: "AIzaSyC...", // Real key in code!
authDomain: "myapp.firebaseapp.com"
};
Git history is permanent: Even if you delete the file or change the value, the secret remains in git history. Attackers and bots scan GitHub for leaked credentials constantly.
How to Fix It
// .env (never commit this file!)
STRIPE_SECRET_KEY=sk_live_1234567890
// .gitignore
.env
.env.local
.env*.local
// Your code
const stripe = new Stripe(process.env.STRIPE_SECRET_KEY);
If You Already Exposed Credentials
- Rotate immediately: Generate new API keys and invalidate old ones
- Check for abuse: Review logs for unauthorized access
- Clean git history: Use git-filter-repo or BFG Repo Cleaner
- Add pre-commit hooks: Prevent future leaks with tools like gitleaks
Is a private repo safe for secrets?
No. Private repos can become public, get cloned, or be accessed by anyone with repo access. Always use environment variables regardless of repo visibility.
What about frontend API keys?
Some keys are designed for frontend use (like publishable Stripe keys or restricted Firebase keys). But never expose secret keys, private keys, or keys with write/admin access.