Env file comments getting leaked surprised me

I often use one secret, then switch it with a different secret. To ease the switching, I comment out one secret and uncomment the other. Turns out that the comment is copied over when remixed. This may have caused my chat bot’s API key to get leaked. I don’t know if anyone remixed my project or not.

In general this statement seems potentially misleading:

You can use the .env file to hide sensitive information like passwords and data.

How can a user discover that comments are leaked before it’s too late?

Perhaps initialize a comment in each .env file stating very clearly in caps like “COMMENTS ARE VISIBLE TO USERS THAT REMIX THIS APP, MAKE SURE THERE ARE NO SECRETS IN YOUR COMMENTS”.

Can you link me the project with the api key. (Take out the api key and replace it with random characters). I will remix it to see if I get the comments. You may have seen the comments because you made the project.

@ubershmekel welcome to the forum!

I’m sorry you had that experience. I’ve passed this feedback on to the team and we’re going to make sure starter projects with .env files have a proper warning in them. I hope you were able to replace that API key and were not adversely affected.

1 Like

I remixed from incognito mode and saw the comment.