logoalt Hacker News

chatmastayesterday at 8:30 PM2 repliesview on HN

Next.js renders configuration that’s shared by client and server into a JSON blob in the HTML page. These config variables often come from environment variables. It’s a very common mistake for people to not realize this, and accidentally put what should be a server-only secret into this config. I’ve seen API secrets in HTML source code because of this. The client app doesn’t even use it, but it’s part of the next config so it renders into the page.

Replies

whhyesterday at 8:38 PM

That's essentially what NEXT_PUBLIC_ is for... but serializing process.env is a new one for me.

show 1 reply
socalgal2yesterday at 8:40 PM

IIRC, react had this issue so they required env vars seen in react to be prefixed by REACT_ The hope being that SECRET is not prefixed and so is not available. Of course it requires you to know why they are prefixed and not make REACT_SECRET