Environment secrets exposed in client bundle or git history

API keys, database passwords, or other secrets accidentally included in client-side JavaScript bundle or committed to git.

Prevention: (1) Use .env files with proper prefixes — only prefix TRULY public values. (2) Add .env* to .gitignore BEFORE first commit. If already committed: rotate ALL exposed secrets, then use git-filter-repo. (3) Use secret scanning: GitHub secret scanning, gitleaks, or trufflehog. (4) Server-side: use secret managers in production. (5) CI: use provider's secret storage, never hardcode.

Git stores complete history. Even deleted secrets persist in old commits. Client bundles are fully readable in browser DevTools. Once exposed, assume compromised.