Skip to main content
Ganesh Joshi
Back to AI Rules

No secrets in code

Updated 2026-02-13

Never hardcode API keys, tokens, passwords, or credentials; use environment variables or secret managers. Use in any AI-assisted editor.

Use in Cursor, Windsurf, Codeium, or any AI-assisted editor.

Rule
# No secrets in code

Never hardcode API keys, tokens, passwords, or other credentials in source code, config files committed to version control, or logs.

- **Use instead:** Environment variables, secret managers (e.g. AWS Secrets Manager, HashiCorp Vault), or platform-specific secret injection (e.g. Vercel env vars, GitHub Secrets).
- **Examples to avoid:** `apiKey = "sk-..."`, `password = "secret"`, `.env` with real secrets committed, credentials in sample or example code that could be copy-pasted.
- **Document:** In README or comments, mention which env vars or secrets are required and how to obtain them, without exposing values.
No secrets in code | AI Rules | Ganesh Joshi