Leaked Environment Variables

Solution
Enable / Disable
Disable this rule
Disable all Security rules
Enable only this rule

Checks for exposed API keys, secrets, and credentials in HTML/JS


Rule ID	`security/leaked-secrets`
Category	Security
Scope	Site-wide
Severity	error
Weight	10/10

Solution

API keys and secrets exposed in client-side code can be harvested by attackers to access your services, incur charges, or steal data. Move sensitive credentials to server-side code and use environment variables that are NOT exposed to the browser. For frontend apps, use a backend proxy to make authenticated API calls. Rotate any exposed credentials immediately. Consider using secret scanning tools like Gitleaks or TruffleHog in your CI/CD pipeline to prevent future leaks.

Enable / Disable

Disable this rule

squirrel.toml

[rules]
disable = ["security/leaked-secrets"]

Disable all Security rules

squirrel.toml

[rules]
disable = ["security/*"]

Enable only this rule

squirrel.toml

[rules]
enable = ["security/leaked-secrets"]
disable = ["*"]

External Link Security

Third-Party Cookies

⌘I

Getting Started

Concepts

Dashboard

CLI Reference

Rules Reference

Configuration

Leaked Environment Variables

Solution

Enable / Disable

Disable this rule

Disable all Security rules

Enable only this rule

Getting Started

Concepts

Dashboard

CLI Reference

Rules Reference

Configuration

​Solution

​Enable / Disable

​Disable this rule

​Disable all Security rules

​Enable only this rule

Solution

Enable / Disable

Disable this rule

Disable all Security rules

Enable only this rule