🔒 LeakyPrompts

Review the following code for any hardcoded secrets, API keys, passwords, tokens, or credentials. For each one you find:
1. Tell me exactly where it is (file + line)
2. Explain the risk
3. Show me the fixed version using environment variables

Be thorough — check config files, test files, and commented-out code too. Only report real secrets, not placeholder values like "your-key-here".

Help me set up a secure environment variable pattern for my [Next.js / Node.js / Python] project:
1. Create a .env.example file with all the keys I need (no real values)
2. Add .env to .gitignore (show me the exact line)
3. Show me how to read these variables safely in my code
4. Tell me what to do if I accidentally committed a real secret (steps to rotate and clean history)

I accidentally committed a secret (API key / password) to my public GitHub repo. Help me:
1. Immediately rotate/invalidate the leaked credential (tell me where to do this for [service name])
2. Remove it from the current code using environment variables instead
3. Clean it from git history using git filter-repo or BFG Repo-Cleaner (give me the exact commands)
4. Force-push the cleaned history safely
5. Audit for any other secrets I may have missed

Be specific and step-by-step. Assume I'm not a git expert.

Review this API route for security issues related to secrets and credentials:

[paste your API route code here]

Check for:
- Hardcoded credentials or tokens
- Secrets being logged or returned in responses
- Missing input validation that could expose internal errors
- Server-side secrets accidentally exposed to the client
- Any environment variables that should not be accessible client-side (NEXT_PUBLIC_ prefix issues in Next.js)

Fix each issue and explain why it matters.

I need to use secret API keys in my GitHub Actions workflow. Help me:
1. Show me how to add secrets in GitHub repo settings (describe the UI steps)
2. Write a safe workflow snippet that reads secrets as environment variables
3. Make sure secrets never appear in logs (show me how to mask them)
4. Show me a .env pattern I can use locally that mirrors the CI setup

Here's my current workflow file (or describe what it needs to do):
[paste workflow or describe your CI needs]

Audit my Next.js project for secrets that might be leaking to the client-side JavaScript bundle.

Rules to check:
- Any secret key used in a file inside /app (client components) or imported by one
- NEXT_PUBLIC_ prefixed variables (these are exposed to the browser — make sure none are secret)
- process.env calls that reference private keys in client-side code
- Any hardcoded values in files that get bundled client-side

Here is my project structure and relevant files:
[paste relevant files or describe your project]

For each issue, tell me how to fix it (move to server component, API route, etc.).

Review my package.json dependencies for security concerns:

[paste your package.json here]

Check for:
1. Any packages known to have had supply-chain attacks or malicious versions
2. Overly broad version ranges (e.g. "*" or "latest") that could auto-install compromised versions
3. Dev dependencies that shouldn't be in production
4. Packages that request unnecessary permissions or make unexpected network calls
5. Alternatives for any high-risk packages

Suggest a safer version pinning strategy and flag anything urgent.

Before I launch my [app type] project, give me a security checklist focused on common solopreneur / indie hacker mistakes:

1. Secrets & credentials (env vars, .gitignore, rotation plan)
2. API security (rate limiting, authentication, CORS)
3. Input validation (XSS, injection)
4. Dependency hygiene
5. Error messages (make sure stack traces aren't shown to users)
6. HTTPS and headers
7. Any service-specific gotchas for: [list your stack — e.g. Next.js, Supabase, Stripe, Vercel]

For each item: tell me what to check, how to fix it if broken, and how long it takes. Prioritize by risk.