From a7d54437b74af7bd59b8d65756f1d91c4b095af7 Mon Sep 17 00:00:00 2001
From: tom <tom@ohhhh.me>
Date: Fri, 20 Oct 2023 13:11:31 -0300
Subject: [PATCH] [skip ci] disclaimer about ENV variables

---
 docs/ENVS.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/docs/ENVS.md b/docs/ENVS.md
index 0720dfa65e..6c3617261f 100644
--- a/docs/ENVS.md
+++ b/docs/ENVS.md
@@ -4,6 +4,12 @@ The app instance could be customized by passing following variables to NodeJS en
 
 **IMPORTANT NOTE!** For _production_ build purposes all json-like values should be single-quoted. If it contains a hash (`#`) or a dollar-sign (`$`) the whole value should be wrapped in single quotes as well (see `dotenv` [readme](https://github.com/bkeepers/dotenv#variable-substitution) for the reference)
 
+## Disclaimer about using variables
+
+Please be aware that all environment variables prefixed with `NEXT_PUBLIC_` will be exposed to the browser. So any user can obtain its values. Make sure that for all 3rd-party services keys (e.g., Sentri, Auth0, WalletConnect, etc.) in the services administration panel you have created a whitelist of allowed origins and have added your app domain into it. That will help you prevent using your key by unauthorized app, if someone gets its value.
+
+&nbsp;
+
 ## Table of contents
 - [App configuration](ENVS.md#app-configuration)
 - [Blockchain parameters](ENVS.md#blockchain-parameters)