Free .env File Security Linter
Paste your .env and get instant findings · secrets that will ship to the browser, duplicate keys, quoting problems · plus a generated .env.example.
Frequently asked
Why is a secret under VITE_ or NEXT_PUBLIC_ a problem?
Those prefixes mean "bundle this into the frontend build". A VITE_STRIPE_SECRET_KEY isn't an environment variable anymore · it's public text in your JavaScript bundle, readable by every visitor. This is the single most common vibe-coding leak.
Is my .env content uploaded when I lint it?
No · all analysis runs in your browser. Nothing is transmitted or stored. For the deployed side of this check · whether your live app actually exposes env values · run a full SimplyScan.
Run a full security scan →