All articles

secrets

(5 articles)
QStash Tokens Leaked via NEXT_PUBLIC_ Prefix
QStashUpstashQueue

May 3, 2026 · VibeWShield Team

QStash Tokens Leaked via NEXT_PUBLIC_ Prefix

Upstash QStash uses a bearer token for queue operations. Naming it `NEXT_PUBLIC_QSTASH_TOKEN` publishes it to every browser, and anyone can enqueue jobs — including paid ones.

Read article
Neon Branch Passwords Committed to Git — A Full Audit
NeonPostgresGit Hygiene

April 25, 2026 · VibeWShield Team

Neon Branch Passwords Committed to Git — A Full Audit

Neon creates a new Postgres branch per preview environment, each with its own connection string. AI tools love to commit `.env.preview.neon` to fix build errors. Here's how to reclaim them all.

Read article
Cloudflare Workers: Bindings vs Env — Where Your Secret Actually Leaks
Cloudflare WorkersSecretsEdge Functions

April 24, 2026 · VibeWShield Team

Cloudflare Workers: Bindings vs Env — Where Your Secret Actually Leaks

Cloudflare treats 'Environment Variables' and 'Secret Bindings' as different things. Vibe-coded Workers mix them up, and half the 'secret' values end up readable in the Worker's preview URL.

Read article
Resend API Keys in Lead Forms: Why You Need to Rotate Them Tomorrow
ResendEmailSecrets

April 21, 2026 · VibeWShield Team

Resend API Keys in Lead Forms: Why You Need to Rotate Them Tomorrow

Resend, the transactional email API, is one of the most-leaked secrets in 2026 vibe-coded apps. The contact-form pattern Lovable/Bolt generate puts the key in the client. Here's the audit.

Read article
How Exposed API Keys End Up in Your JavaScript Bundle
secretssecurityJavaScript

April 21, 2026 · VibeWShield Team

How Exposed API Keys End Up in Your JavaScript Bundle

API keys bundled into client-side JavaScript are the #1 critical finding in vibe-coded apps. How it happens and how to fix it.

Read article