Skip to content

docs: Clarify environment variable usage and add .env.production #141

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 8, 2025
Merged

docs: Clarify environment variable usage and add .env.production #141

merged 1 commit into from
Jun 8, 2025

Conversation

nullcoder
Copy link
Owner

Summary

  • Added .env.production file with clear warnings about security
  • Updated documentation to clarify build-time vs runtime variables
  • Added warnings to prevent accidental secret exposure in client bundle

Changes

New File: .env.production

  • Added with production Turnstile site key
  • Includes prominent warnings about not putting secrets here
  • Explains that this file is for build-time PUBLIC variables only

Documentation Updates

docs/LOCAL_DEVELOPMENT.md:

  • Added comprehensive explanation of all environment files
  • Clear distinction between build-time and runtime variables
  • Examples for each file type with warnings

docs/TURNSTILE_SETUP.md:

  • Added section about .env.production for production builds
  • Warning about not putting secrets in build-time files
  • Clarified the difference between public and secret keys

README.md:

  • Updated configuration section with environment variable explanation
  • Added warning about .env files containing only public variables
  • Clear examples of what goes where

Security Impact

This change helps prevent developers from accidentally exposing secrets by:

  • Making it crystal clear which files are for public vs secret values
  • Adding warnings in multiple places
  • Providing the correct patterns for handling secrets

Test Plan

  • Verified .env.production is properly formatted
  • Documentation is clear and consistent
  • Warnings are prominent and helpful
  • Verify build process uses .env.production correctly
  • Confirm no secrets are exposed in client bundle

🤖 Generated with Claude Code

@nullcoder @claude
docs: clarify environment variable usage and add .env.production
c7b6944 
- Add .env.production with clear warnings about not putting secrets
- Update documentation to explain build-time vs runtime variables
- Emphasize that .env files are for NEXT_PUBLIC_* variables only
- Clarify that secrets must use .dev.vars locally or wrangler secrets in production
- Add warnings throughout docs to prevent accidental secret exposure

This helps prevent developers from accidentally exposing secrets in the
client bundle by putting them in .env or .env.production files.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@nullcoder nullcoder merged commit 02aff3a into main Jun 8, 2025
1 check was pending
@nullcoder nullcoder deleted the docs/environment-variables-clarification branch June 8, 2025 08:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@nullcoder