Never hardcode API keys or secrets in source code
Always use environment variables for API keys, database credentials, and other secrets.
Why This Matters
Hardcoded secrets end up in git history, CI logs, and client bundles. They cannot be rotated without a code change.
Tags
nextjssupabase
Related Rules
Catch this automatically on every PR
BeforeMerge scans your pull requests against this rule and 2+ others. Get actionable feedback before code ships.