Updated 2026-04-306 min read

Environment variable hygiene — Vercel / Netlify / Fly / Railway

Per-platform env-var setup with NEXT_PUBLIC_ guidance, secret manager recommendations, rotation cadence.

Where you put your env vars matters as much as what you put. Per-platform setup guide.

What it is

Cloud platforms differ in how env vars are stored, scoped, and protected. Vercel marks Sensitive; Netlify uses lock icon; Fly uses fly secrets; Railway uses references.

Vulnerable example

# .env committed to git
OPENAI_API_KEY=sk-proj-...
# Vercel env var with NEXT_PUBLIC_ prefix
NEXT_PUBLIC_STRIPE_SECRET=sk_live_...

Fixed example

# .gitignore
.env
.env.local
.env.production
.claude/
.cursor/
.continue/
# Vercel: mark Sensitive flag on every secret
# Fly: use fly secrets set; never fly.toml
# Rotate per /templates/env-var-hygiene

How Securie catches it

Securie findingcritical

.env.local:12

Environment variable hygiene

Secret_scanner + secrets-lifecycle specialists catch leaked secrets across all platforms; static-rules pre-filter scans .gitignore for missing patterns.

Suggested fix — ready as a PR

# .gitignore
.env
.env.local
.env.production
.claude/
.cursor/
.continue/
# Vercel: mark Sensitive flag on every secret
# Fly: use fly secrets set; never fly.toml
# Rotate per /templates/env-var-hygiene

Catch this in my repo →Securie scans every PR · ships the fix as a one-click merge · free during early access

Checklist

No NEXT_PUBLIC_ on secrets
Secrets in vendor's secret manager (not source)
Rotation cadence: 30/60/90 days per category
Per-key spend caps
.gitignore includes AI-tool dot-dirs

FAQ

Vercel Sensitive flag?

Marks the env var as not-readable from build logs. Always enable for secrets.

Share:X Hacker News Reddit LinkedIn

Related guides

Guide

API key rotation — how to rotate without downtime

Rotating an API key without taking your app down requires a specific dual-read single-write sequence. Here is the exact pattern.

Guide

Vercel environment variables security — the rules and the leaks

Vercel environment variables have three flavors (development, preview, production) and two scopes (server-only and NEXT_PUBLIC_). Mixing them up leaks production secrets. Here is the rule and the canonical bugs.

Guide

Leaked API keys in Next.js — NEXT_PUBLIC_ prefix + client-bundle audit

NEXT_PUBLIC_-prefixed env vars ship in the client bundle. Server secrets accidentally prefixed = bundled credentials shipped to every visitor. Here's the detection + fix.

Guide

Leaked API keys in Next.js — the most common vibe-coded mistake

Every week founders tweet about their OpenAI bill going from $10 to $10,000 overnight. Usually the cause is an API key committed to a public repo. Here is why it happens in Next.js specifically and how to stop it in five minutes.