Overview
Our environment & secrets engine protects submitters by detecting API keys, tokens, and private keys pasted into forms in real time.
It prevents accidental leaks by warning you inline and disabling submission until the secret-like text is removed.
What it detects
Common secret types such as API keys, tokens, and private keys from widely used services.
We also look for generic secret-like patterns to reduce accidental leaks while limiting false positives.
How it works
Client-side: While you type, we run lightweight checks and, if something looks sensitive, show a non-intrusive warning and temporarily disable submit.
Server-side: On submit, we repeat checks and block if needed. We avoid echoing back any sensitive values.
Example flow (diagram)
The diagram below shows data flow between the client scanner, the form action, moderation, and storage.
Severity & guidance
Sensitive findings block submission; less-sensitive cases may show a warning.
When documenting, mask examples (e.g., replace middle characters) instead of using real credentials.
If you see a false positive, lightly rephrase or mask; we aim to keep noise low.
Privacy
We do not store secret values from client checks. On the server, if a secret-like string is detected, the request is rejected and only pattern types are included in the response.
This is a best‑effort safeguard. Automated checks can miss things or be overly cautious in rare cases.
Ultimately, never paste real credentials into public text. If you accidentally did, rotate the key and update any affected systems.
Tips
Use placeholders for docs and examples, e.g., sk_test_xxx instead of full keys.
Never paste real credentials into public submissions. Rotate any keys you accidentally exposed.