New
Introducing React Doctor for Enterprise
Menu
What Is React Doctor?
Quickstart
CLI to CI
How to Fix Issues
GitHub Actions Setup
Updating CI
Other CI Providers
Migrating to CI v2
Config Files
ESLint & oxlint Plugins
CLI Reference
GitHub Action Reference
Node.js API
Changelog
Terms of Service
Privacy Policy
Data Use
Security
Support
Rules reference

react-doctor/public-env-secret-name

A public-prefixed env var whose name implies a secret (token, password, private key, service role) is inlined into the client bundle, so a real credential there is world-readable.

  • Category: Security
  • Severity: warn
  • Source: oxlint-plugin-react-doctor
  • Framework: global
  • Enabled when: client (browser-bundled) production source files; server dirs (api/backend/server/middleware/route/functions/lambdas/workers, *.server.*) and docs trees skipped

Validation prompt

Use this to decide whether a fired diagnostic is real or a false positive.

Fires in client (browser-bundled) code when a public-prefixed env var — NEXT_PUBLIC_, VITE_, REACT_APP_, or EXPO_PUBLIC_ — has a NAME containing SECRET, TOKEN, PASSWORD, PRIVATE, DATABASE_URL, SERVICE_ROLE, AWS_ACCESS_KEY, or AWS_SECRET. It reports the first such name that is NOT on the trusted-public allowlist (Sentry DSN, *PUBLISHABLE*, Supabase ANON_KEY, PostHog/Mixpanel/Mapbox tokens, Algolia search key, Google Maps key, *PUBLIC_KEY*, and *_(DISABLE|ENABLE|ALLOW|REQUIRE)_* feature flags). Matching is name-only — it never inspects the value. FALSE POSITIVE: a value that is genuinely client-safe despite a scary name — a vendor's designated publishable/anon token not yet allowlisted, or a boolean flag like NEXT_PUBLIC_ENABLE_SECRET_MENU; confirm only when the name denotes a real credential that would be inlined into the bundle.

Fix prompt

Use this once validation confirms the diagnostic is real.

If it is a real credential, move it to a server-only env var (drop the public prefix) and read it from server code or a backend route, because every NEXT_PUBLIC_/VITE_/REACT_APP_/EXPO_PUBLIC_ value is embedded in client JavaScript. Rotate it if it ever shipped in a bundle. If the value is genuinely public, rename it to a non-secret form (for example *_PUBLISHABLE_KEY, *_ANON_KEY) so it stops tripping the check.