No one should be, why are the enverionmant variables not encrypted itself and the encryption key is stored with your oauth provider ?
replyVercel runtime must be able to access the values (so customer's apps can use them). But nobody else should ever be able to. This is the typical amateur hour security but on the other hand, who was naive enough to expect any better from vercel?
reply