Constants should not be exposed to the client if they contain sensitive information.
When a constant is exposed to the client, Mendix Runtime sends its value to the client so that in addition to microflow expressions, it will also be accessible from nanoflows and page expressions. This means that you should not use sensitive data or secrets such as passwords when a constant is exposed to the client.
Mendix docs https://docs.mendix.com/refguide/constants#4-2-exposed-to-client
To determine if a constant is sensitive ACR checks if the constant name contains a sensitive keyword such as password or key. The list of sensitive keywords is configurable e.g. “password,key“. Not case sensitive. Leave it empty to violate for every constant that is exposed to the client (default).
Non-compliant example:
Compliant example:
