Screen Sharing Privacy for Developers: How to Hide API Keys, .env Files, and Secrets
Developers share screens during standups, pair programming, and demos. Here's how to prevent accidental exposure of API keys, credentials, and sensitive code.
Short answer
Developers share screens during standups, pair programming, and demos. Here's how to prevent accidental exposure of API keys, credentials, and sensitive code.
Direct answer
developers share screens during standups, pair programming, and demos. here's how to prevent accidental exposure of api keys, credentials, and sensitive code and follow the step-by-step approach in this guide.
Your .env File Is One Alt-Tab Away from Being Public
You are in a standup. You share your screen to walk through a bug. Your VS Code sidebar shows the file tree. .env is right there. You open the terminal to run a command. Your environment variables are printed in the output. Someone on the call screenshots it. Or the meeting is recorded. Your production database credentials are now a security incident.
This is not a rare edge case. Developers share their screens more than any other profession. Standups, pair programming sessions, code reviews, sprint demos, architecture walkthroughs, incident response calls -- the screen is shared constantly. And developer environments are packed with data that should never be seen by anyone outside the team, let alone outside the company.
API keys. Database connection strings. AWS credentials. GitHub tokens. Private SSH keys displayed in terminal output. Internal service URLs. Customer data in development databases. The developer workstation is a concentration of secrets that no other role matches.
What Developers Accidentally Expose
Terminal and CLI Output
The terminal is the most dangerous surface. Commands like env, printenv, echo $DATABASE_URL, or docker inspect print credentials directly to the screen. Even a simple git log can show commit messages referencing internal infrastructure. If your terminal has scrollback, a quick scroll up during a screen share can reveal commands and output from hours ago.
Build scripts and deployment logs often print environment variables, API endpoints, and configuration details. A CI/CD pipeline log visible in a browser tab can contain service account credentials.
IDE Sidebars and File Trees
Your VS Code or JetBrains sidebar shows your project structure. File names like .env, .env.production, secrets.yaml, credentials.json, and service-account-key.json are immediately recognizable to anyone watching. Even without opening these files, their presence in the file tree reveals the architecture of your secrets management.
Open tabs in your editor are visible too. A tab labelled database.ts next to one labelled stripe-webhook-handler.ts tells a story about your payment infrastructure.
Browser Tabs and Dev Tools
Developers typically have many browser tabs open: internal dashboards, admin panels, cloud consoles (AWS, GCP, Azure), CI/CD platforms (GitHub Actions, CircleCI), monitoring tools (Datadog, New Relic, Grafana), and documentation. Tab titles alone reveal internal service names, dashboard URLs, and infrastructure details.
The browser dev tools panel -- Network tab, Console, Application storage -- can expose API responses containing customer data, authentication tokens in local storage, and debugging output with sensitive information. These are common vectors for screen sharing fails in developer contexts.
Git History and Diffs
Sharing a git diff or git log during a code review can reveal more than the code being reviewed. Commit messages reference ticket numbers, project codenames, and internal URLs. Diffs may show changes to configuration files that include credential rotations. Branch names like fix-stripe-webhook-production-outage reveal operational details.
Method 1: Terminal Hygiene
Clear terminal history before sharing: Run clear or Ctrl+L to clear the visible terminal. This removes previous commands and output from the scrollback buffer visible on screen.
Use a dedicated terminal profile: Create a terminal profile (iTerm2, Windows Terminal, or your shell's profile system) specifically for screen sharing. Configure it with a clean prompt that does not show the hostname, username, or current path components that reveal infrastructure details.
Never run env or printenv during a screen share. If you need to verify an environment variable, pipe it through a partial redaction: echo $API_KEY | sed 's/./*/g' or use a privacy-focused workflow that keeps secrets out of terminal output.
Use dotenv files with caution. During pair programming, if someone asks you to check a config value, do it after the screen share ends. Build the habit of treating .env files as never-open-during-sharing.
Method 2: IDE Configuration
Collapse the sidebar. Before sharing your screen, collapse the file explorer sidebar in VS Code (Ctrl+B / Cmd+B). This hides file names including .env, secrets.yaml, and other sensitive files. Reopen it only when you need to navigate, and close it again immediately.
Close sensitive tabs. Before a screen share, close any editor tabs showing configuration files, environment files, or files containing hardcoded credentials. Use Ctrl+W / Cmd+W to close tabs quickly.
Use VS Code's Zen Mode: Ctrl+K Z / Cmd+K Z enters Zen Mode, which hides the sidebar, status bar, activity bar, and panel. Only the editor content is visible. This is the closest thing to a "presentation mode" that VS Code offers.
Configure .gitignore patterns as private. In VS Code settings, add patterns to files.exclude to hide sensitive files from the explorer entirely: .env*, *.pem, credentials.*, service-account-*.
Method 3: Browser Profile for Development Screen Sharing
Create a separate Chrome profile for screen sharing during development. This profile should have:
- No saved logins to cloud consoles (AWS, GCP, Azure)
- No bookmarks to internal admin panels
- No extensions that show sensitive data
- No browsing history from internal tools
When you need to share a browser during a development demo, switch to this profile first. Internal URLs, cloud console sessions, and admin panel bookmarks stay in your primary profile, invisible to the audience.
Method 4: Element-Level Blurring for Web-Based Tools
Modern development happens in the browser as much as in the terminal. Cloud consoles, CI/CD dashboards, monitoring tools, and admin panels are all web-based. When you need to share one of these during a demo or incident response call, the surrounding data is the problem.
ContextBlur lets you blur specific elements in any web page: the sidebar in your AWS console, the credential column in your secrets manager, the customer data table in your admin panel, the environment variable list in your CI/CD dashboard. The tool you are presenting remains visible and functional. The sensitive data within it is unreadable.
For developers who regularly demo cloud infrastructure, monitoring dashboards, or admin tools, setting up auto-blur rules for these pages means the blurs apply automatically every time you visit. You do not need to remember to blur the AWS IAM credentials page before every architecture review. The rules persist.
Developer-Specific Screen Sharing Checklist
Run through this before every standup, pair programming session, or demo:
- Clear your terminal.
clearorCtrl+L. Check for scrollback that might contain credentials. - Collapse your IDE sidebar.
Ctrl+B/Cmd+Bin VS Code. No file tree visible. - Close sensitive editor tabs.
.env, config files, credential files. - Switch to your clean browser profile if sharing browser-based tools.
- Blur sensitive elements in any web-based dashboard, console, or admin panel you will share.
- Enable Do Not Disturb. Suppress notification popups from Slack, email, and other apps.
- Share a window, not your desktop. Select your IDE window or browser window specifically.
- Check your screen. Take two seconds to verify nothing sensitive is visible before speaking.
Common Developer Screen Sharing Scenarios
Standup Demo
You need to show the feature you completed. Share your browser window with the feature running. Do not share your IDE unless the code is relevant. If showing code, collapse the sidebar and close unrelated tabs. The audience needs to see the feature, not your file structure.
Pair Programming
You are sharing your entire IDE for an extended session. This is the highest-risk scenario for developers. Collapse the sidebar initially. When you need to navigate files, open the sidebar briefly, navigate, and collapse it again. If your pair asks about configuration, discuss it verbally rather than opening the .env file on screen.
Architecture Review
You are sharing diagrams, cloud console screens, and documentation. Blur infrastructure details in cloud consoles that are not relevant to the discussion: IAM policies, security group rules, API keys in settings pages. Share specific browser tabs, not your full browser window, to avoid exposing other tabs with sensitive infrastructure details.
Incident Response
You are sharing during a live incident. Speed matters, but so does security. In the heat of an incident, it is easy to share a screen with Datadog dashboards showing customer names, PagerDuty with phone numbers, or a database console with production data. If the incident call includes anyone outside your immediate team, take five seconds to blur customer-identifiable information before sharing.
Client Demo
You are showing a client how your product works. This is the scenario where the stakes are highest. Internal URLs, other client names in your admin panel, pricing configuration, and feature flags are all visible in a typical admin interface. Use a dedicated demo environment with sanitised data whenever possible. When that is not available, element-level screen blurring is your last line of defence.
Vibe coding creates a wider leak surface
If you use Cursor, Windsurf, Bolt, or Replit, your context switches are faster and more frequent. That increases the chance of exposing secrets while explaining your work live.
Use this cluster for AI-first workflows:
- Vibe coding security guide
- Cursor IDE screen sharing privacy
- How to hide API keys during screen sharing
- Protect secrets while vibe coding
Build the Habit
Developer screen sharing privacy is not about paranoia. It is about treating credentials and internal infrastructure with the same care during a screen share that you give them in code reviews and deployment pipelines. You would never commit an API key to a public repository. Do not broadcast one during a standup.
The checklist takes fifteen seconds once it becomes habit. The cost of not using it is a credential rotation, a security incident, and an uncomfortable conversation with your security team. Start with "clear terminal, collapse sidebar, share window" as your minimum. Add browser profile separation and element-level blurring as your workflow demands.
If your main workflow is VS Code, use the VS Code extension page for setup and command install details, then compare browser options on downloads and free vs Pro limits on pricing.