FinishKitFinishKit/Glossary
Back to FinishKit
security

Environment Variable

A named value set outside your code (at build time or runtime) used to configure your app without hardcoding secrets or per-environment settings.

Also known asenv varenvironment config

What is an environment variable?

Environment variables are the standard way to configure an application differently across environments (local, preview, production) without changing code. A database URL, a Stripe secret key, a feature flag: all typically live in env vars.

In Next.js:

  • NEXT_PUBLIC_* variables are inlined into the client bundle at build time. Anyone viewing your site can read them.
  • All other env vars are server-only and never leave your backend.

The AI-built app trap

The most common secret exposure bug in AI-built apps is naming a sensitive key with the NEXT_PUBLIC_ prefix. The app appears to work, but the secret is now public in your minified JavaScript.

Examples FinishKit has flagged:

  • NEXT_PUBLIC_STRIPE_SECRET_KEY
  • NEXT_PUBLIC_OPENAI_API_KEY
  • NEXT_PUBLIC_SUPABASE_SERVICE_ROLE_KEY

All three are catastrophic.

Rules

  1. Anything with the word "secret", "private", "service role", or "admin" in its name must never have NEXT_PUBLIC_.
  2. Check your build output: grep -r 'sk_' .next/static should return nothing.
  3. In development, keep .env.local in .gitignore.

See also

Ready to ship?

Run a FinishKit scan and get a prioritized Finish Plan in minutes.

Scan your app