Leaked Environment Variables
Checks for exposed API keys, secrets, and credentials in HTML/JS
Checks for exposed API keys, secrets, and credentials in HTML/JS
| Rule ID | security/leaked-secrets |
| Category | Security |
| Scope | Site-wide |
| Severity | error |
| Weight | 10/10 |
Solution
API keys and secrets exposed in client-side code can be harvested by attackers to access your services, incur charges, or steal data. Move sensitive credentials to server-side code and use environment variables that are NOT exposed to the browser. For frontend apps, use a backend proxy to make authenticated API calls. Rotate any exposed credentials immediately. Consider using secret scanning tools like Gitleaks or TruffleHog in your CI/CD pipeline to prevent future leaks.
Enable / Disable
Disable this rule
squirrel.toml
toml[rules]
disable = ["security/leaked-secrets"]Disable all Security rules
squirrel.toml
toml[rules]
disable = ["security/*"]Enable only this rule
squirrel.toml
toml[rules]
enable = ["security/leaked-secrets"]
disable = ["*"]