Home > Net >  Is it secure to expose secret keys to a next.js app via environment variables?
Is it secure to expose secret keys to a next.js app via environment variables?

Time:06-11

As I take it, environment variables prefixed with NEXT_PUBLIC_ will be substituted by their respective values in the resulting bundle.

Is it safe to supply things like API keys, OAuth secrets and the like using NEXT_PUBLIC_* variables or can an end user theoretically access these secret values? If this is the case, then what is the recommended approach to circumventing this potential security issue?

Thank you all for clarification.

CodePudding user response:

NEXT_PUBLIC_ environment variable prefixes should only be used for values which are non-sensitive, and as you pointed out, which you're comfortable with being present in the final bundle. Prefixing any sensitive keys or secret environment variables with NEXT_PUBLIC_ is a security risk. Those values should only be accessible to next.js at build time or server-side.

Consider using Next.js API routes to isolate any service-oriented business logic to the server-side of things.

Page link:https//www.codepudding.com/net/437806.html

Prev:Webpack, disable the export of assets referenced in SCSS/CSS
Next:Typescript not compiling enum in symlinked folder
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding