diff --git a/README.md b/README.md
index 8f52291..0986a12 100644
--- a/README.md
+++ b/README.md
@@ -31,6 +31,8 @@ SvelteKitAuth also comes with first-class support for Typescript out of the box,
 
 SvelteKitAuth is very easy to setup! All you need to do is instantiate the `SvelteKitAuth` class, and configure it with some default providers, as well as a JWT secret key used to verify the cookies:
 
+_**Warning**: env variables prefixed with `VITE_` can be exposed and leaked into client-side bundles if they are referenced in any client-side code. Make sure this is not the case, or consider using an alternative method such as loading them via dotenv directly instead._
+
 ```ts
 export const appAuth = new SvelteKitAuth({
   providers: [