Adds warning about client-side secrets (#38)

Dan6erbond · Jun 3, 2021 · 731eabd · 731eabd
1 parent ec0ad24
commit 731eabd
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -31,6 +31,8 @@ SvelteKitAuth also comes with first-class support for Typescript out of the box,
 
 SvelteKitAuth is very easy to setup! All you need to do is instantiate the `SvelteKitAuth` class, and configure it with some default providers, as well as a JWT secret key used to verify the cookies:
 
+_**Warning**: env variables prefixed with `VITE_` can be exposed and leaked into client-side bundles if they are referenced in any client-side code. Make sure this is not the case, or consider using an alternative method such as loading them via dotenv directly instead._
+
 ```ts
 export const appAuth = new SvelteKitAuth({
   providers: [