Multi-line .env values visible in incognito window


My application requires a private key, which I’d very much like to keep hidden. I include that key in my .env file, but when opening the project from an incognito window (where I would expect to see all files except .env and .data, correct?) I see a somewhat corrupted version of .env, and the sensitive content is very much still there.

In case it’s related to the content, I have:

# API key.

# Private key.


When opening the project in incognito, the .env file is there, the $(cat <<'END_HEREDOC' text is missing, and the private key itself is visible.

Here’s a link, where I’ve removed the parts I’m concerned about:


Ok, I see now that Glitch is not able to obscure multi-line env values. I was able to work around that by editing my private key to a single line, but it would be easier for others to remix my project if that weren’t necessary.

It would be great if multi-line .env values could be hidden correctly, as I could very easily have missed something like this.


ya the logic we’re using to mask env values is pretty basic, I’ll add support for parsing out multiline strings using cat to our backlog


Thanks! I think another option (maybe simpler?) would be to use a CodeMirror overlay to make some mask-ey effect on values, with the same single-line-only logic used for redacting, so it’s more transparent to the author what is and is not redacted.