From 731eabd893f29df64870beb7ce65282312852da0 Mon Sep 17 00:00:00 2001
From: Scott Fischer <Scott-Fischer@users.noreply.github.com>
Date: Thu, 3 Jun 2021 05:02:26 -0400
Subject: [PATCH] Adds warning about client-side secrets (#38)

---
 README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/README.md b/README.md
index 8f52291..0986a12 100644
--- a/README.md
+++ b/README.md
@@ -31,6 +31,8 @@ SvelteKitAuth also comes with first-class support for Typescript out of the box,
 
 SvelteKitAuth is very easy to setup! All you need to do is instantiate the `SvelteKitAuth` class, and configure it with some default providers, as well as a JWT secret key used to verify the cookies:
 
+_**Warning**: env variables prefixed with `VITE_` can be exposed and leaked into client-side bundles if they are referenced in any client-side code. Make sure this is not the case, or consider using an alternative method such as loading them via dotenv directly instead._
+
 ```ts
 export const appAuth = new SvelteKitAuth({
   providers: [