Security warn by default
astro-doctor/no-public-secret-env no-public-secret-env
Warn when PUBLIC_ environment variables appear to contain secrets.
Why
Astro exposes PUBLIC_ environment variables to client-side code. Names like PUBLIC_TOKEN, PUBLIC_SECRET, PUBLIC_PASSWORD, and PUBLIC_API_KEY usually indicate accidental secret exposure.
Examples
✗ Incorrect
Secret-looking public env variable
---
const apiKey = import.meta.env.PUBLIC_API_KEY
---
<p>{apiKey}</p>✓ Correct
Server-only secret
---
const apiKey = import.meta.env.API_KEY
const publicUrl = import.meta.env.PUBLIC_API_URL
---
<p>{publicUrl}</p>Configuration
Override the default severity in your ESLint config:
// eslint.config.js
import astroDoctorPlugin from '@santi020k/eslint-plugin-astro-doctor'
export default [
astroDoctorPlugin.configs.recommended,
{
rules: {
'astro-doctor/no-public-secret-env': 'error', // or 'warn' or 'off'
},
},
]
Or in your doctor.config.ts:
export default {
rules: {
'astro-doctor/no-public-secret-env': 'error',
},
}
All rules
-
astro-doctor/no-client-load-overuse -
astro-doctor/use-astro-image -
astro-doctor/require-image-dimensions -
astro-doctor/no-missing-alt -
astro-doctor/no-set-html -
astro-doctor/no-public-secret-env(this page) -
astro-doctor/prefer-class-list -
astro-doctor/no-blocking-script -
astro-doctor/no-unprocessed-script-surprises -
astro-doctor/no-missing-lang -
astro-doctor/require-island-fallback -
astro-doctor/no-process-env -
astro-doctor/prefer-content-collections