Security / Config
Secret
Any sensitive credential — API key, database password, signing token — that must never be exposed publicly.
A secret is a house key: the whole point is that only trusted people hold it, so you don't tape it to the front door — meaning don't commit it to GitHub and don't ship it in code that runs in the browser. This is one of the most common and most damaging AI-coding mistakes: keys get pasted into client-side files or committed in a .env, then scraped by bots within minutes. Keep secrets in environment variables or a dedicated secrets manager, and if one ever leaks, rotate it immediately — assume it's already compromised.