How to not have security violation in handling of S3 AWS keys?

[invictus2010]

The default installation guide for notea has the user put their AWS keys in the .env file, host it on Github, and then deploy to Vercel.

This is a huge security violation since the .env file can be read, leaving the account subsequently pwned.

Am I missing something? I very well could be, since I'm a newbie at hosting things like this.

[QingWei-Li]

.env just tells which environment variables to configure. If you need to deploy to vercel, then you should configure these variables on the vercel dashboard.