| Item | Sensitive? | Where it lives |
|---|---|---|
GEMINI_API_KEY |
β YES β server only | .env β Vercel Env Vars |
| Firebase Web Config (apiKey, appIdβ¦) | firebase-config.js |
|
| Firebase Admin SDK service account | β YES β server only | .env (never commit) |
GITGUARDIAN_API_KEY |
β YES | .env (local only) |
Firebase Web API keys are designed to be public. They identify your project to Google servers but do not grant admin access. Security is enforced by Firebase Security Rules.
This project uses GitGuardian ggshield to scan every commit for leaked secrets.
pip install ggshield
ggshield auth login # opens browser β sign in with GitHub/GitLab or GitGuardian accountThe pre-commit hook at .git/hooks/pre-commit runs automatically on every git commit.
π¨ GitGuardian: SECRET DETECTED in staged files!
βββββββββββββββββββββββββββββββββββββββββββββ
Your commit has been BLOCKED to protect your project.
β
To fix:
1. Remove the secret from the file
2. Move it to your .env file instead
3. Add the file to .gitignore if needed
4. Stage your changes again and re-commit
- Server secrets β
.env(gitignored) β Vercel / Render environment variables in production - Never hardcode API keys, passwords, tokens, or private keys in source code
- Browser-facing config (like Firebase Web Config) is OK in source β document why clearly
- Rotate immediately if you accidentally commit a secret
.env*service-account*.json*firebase-adminsdk*.json*.pem,*.key,*.p12
All are covered in .gitignore.