# Environment Variable Exposure

- ID: go-env-var-exposure
- Severity: HIGH
- CWE: CWE-526 (CWE-526)
- Languages: Go

## Description

Environment variables logged or included in HTTP responses.

## Remediation

Use environment variables for configuration only, never log or expose them.

```go
dbURL := os.Getenv("DATABASE_URL")
// Use dbURL for connection only
// Never log it: log.Printf("DB: %s", dbURL) // Wrong!
```

Learn more: https://shoulder.dev/learn/go/cwe-526/env-var-exposure