LintMyAI

no-exposed-env

ProSecurity

Disallow exposing process.env variables to client-side code

no-exposed-env

Disallow exposing process.env variables to client-side code

Category: Security | Tier: Pro

Why This Matters

AI sometimes sends entire process.env objects or individual secret environment variables to the client. This leaks database passwords, API keys, and internal configuration to anyone who opens their browser dev tools.

Bad Code

// Leaking environment variables to the client
const config = { secret: process.env.JWT_SECRET };
res.json({ env: process.env });

Good Code

// Only expose public configuration
const config = { apiUrl: process.env.NEXT_PUBLIC_API_URL };
res.json({ version: pkg.version });

Configuration

This rule has no configuration options. It is enabled by default in lintmyai:recommended.