Skip to content
Critiq Docs

Search docs

Search documentation pages and rules

security.misconfiguration

Do not inline secrets into Astro PUBLIC import meta defines

Astro and Vite define entries for import.meta.env.PUBLIC_* must not map to high-risk process.env secrets.

#Metadata

Rule ID
ts.security.astro-vite-public-secret-define
Severity
high
Confidence
0.83
Languages
javascript, typescript
Presets
recommended, security, strict
Stability
experimental
Applies to
block
Tags
astro, rules-catalog, security, vite

#Why it matters

PUBLIC_* keys are intended for browser-visible configuration; wiring database passwords or API secrets through vite.define exposes them to client bundles.

#Remediation

Keep secrets on the server, use private server-only env vars, and reserve PUBLIC_* keys for intentionally public identifiers such as analytics IDs.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.astro-vite-public-secret-define.rule.yaml.

Back to directoryOpen rule in repository