Fix guide · low · staging_hostname_in_client

Staging / internal hostname in client code

Why it matters

Tells attackers about non-production environments that may be less hardened, have older code, or have weaker auth.

How to fix it

1. Audit the reference. Is it intentional? (Sometimes you call api-staging.example.com from a staging frontend, fine.) Or accidental? (Hardcoded in source, ships to production.)
2. For accidental references, use environment-specific config — process.env.NEXT_PUBLIC_API_URL set differently per deploy.
3. Make sure staging has its own auth — don't assume obscurity protects it.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.