URL: /rules/security/leaked-secrets

---
title: "Leaked Environment Variables"
description: "Checks for exposed API keys, secrets, and credentials in HTML/JS"
---

Checks for exposed API keys, secrets, and credentials in HTML/JS

| | |
|---|---|
| **Rule ID** | `security/leaked-secrets` |
| **Category** | [Security](/rules/security) |
| **Scope** | Site-wide |
| **Severity** | error |
| **Weight** | 10/10 |

## Solution

API keys and secrets exposed in client-side code can be harvested by attackers to access your services, incur charges, or steal data. Move sensitive credentials to server-side code and use environment variables that are NOT exposed to the browser. For frontend apps, use a backend proxy to make authenticated API calls. Rotate any exposed credentials immediately. Consider using secret scanning tools like Gitleaks or TruffleHog in your CI/CD pipeline to prevent future leaks.

## Enable / Disable

### Disable this rule

```toml squirrel.toml
[rules]
disable = ["security/leaked-secrets"]
```

### Disable all Security rules

```toml squirrel.toml
[rules]
disable = ["security/*"]
```

### Enable only this rule

```toml squirrel.toml
[rules]
enable = ["security/leaked-secrets"]
disable = ["*"]
```