Are Netlify environment variables safe?

Netlify environment variables are generally secure at runtime but can leak through several vectors. Build logs may expose variable values if your build process echoes them. Variables prefixed with certain framework conventions like NEXT_PUBLIC_ or VITE_ are bundled into client-side code and visible to anyone. Deploy previews and branch deploys share the same environment variables unless scoped, which can expose production secrets in preview deployments. Always scope sensitive variables to production only and never prefix secrets with client-side framework prefixes. UNPWNED checks for exposed environment variables and secrets in your deployed application.