From d27e2c24e1aa6eaf60cfdf61ba812ff9c7f933c2 Mon Sep 17 00:00:00 2001 From: Kam Date: Mon, 20 Apr 2026 22:29:17 +0300 Subject: [PATCH] docs: warn against storing secrets in environment files Add a CRITICAL callout warning that files in `src/environments/` ship to the client and should not hold secrets like API keys. --- adev/src/content/tools/cli/environments.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/adev/src/content/tools/cli/environments.md b/adev/src/content/tools/cli/environments.md index 380d79c4cf4..46db0bbccbf 100644 --- a/adev/src/content/tools/cli/environments.md +++ b/adev/src/content/tools/cli/environments.md @@ -99,6 +99,8 @@ export const environment = { }; ``` +CRITICAL: Files in `src/environments/` are bundled into your client-side application and visible to anyone who loads the page. Never store secrets such as API keys here. Use a server-side proxy or a secrets manager instead. + You can add target-specific configuration files, such as `environment.development.ts`. The following content sets default values for the development build target: