How is determined if environment variables are sensitive or not?

The documentation on Sensitive variable policy explains how you can enable it, but not how an environment variable is actually determined as sensitive or not.

Untrusted deploys will build automatically, but variables identified as sensitive will not be passed to the deploy environment.

could indicate that this is somehow automatic and magic?

We want to make sure that some of the environment variables we are using are considered sensitive.

Using the feature seems to work correctly, the correct ones are currently identified as sensitive, but we need to make sure this does not change with a platform update so would be much more comfortable with an explicit definition of “this var is sensitive, do not expose”.

1 Like

Hey there, @janpio :wave:

Thanks for taking the time to share this with us. We have brought this feedback with the appropriate team. Should anything change, we will follow up on this thread!

Hi - is there any update on the response from the Netlify team?

This is a critical detail that is missing, and rather than having people test and try things out to determine the behaviour, it would be good to have it stated clearly.


Hi @myitcv,

I had responded to this thread, but was later told by the security team to not reveal these details, so the response was deleted shortly after.

Unfortunately, we cannot share these details, but if it’s not working as expected for you, happy to troubleshoot.