-
Notifications
You must be signed in to change notification settings - Fork 271
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TODO: Suggestion: Remove NEXT_PUBLIC Prefix for API Keys in .env File #105
Comments
After changing my .env file, to change all of the variables in the code, I've used following command in Linux bash: cd frontend/src/app
for i in $(grep -rl NEXT_PUBLIC) ; do sed -i -E 's/NEXT_PUBLIC_([A-Z_]+)/\1/g' $i ; done |
@Yaren-IT I think this would be a good change. When I initially build this I did not mind keeping NEXT_PUBLIC and it made the variable accessible client side. But this would be a good refactor to do. I would add it to my todo, but if you would like to make a PR before than. Feel free to do so. Just have to check, that where ever we are using none NEXT_PUBLIC env we will have to refactor some logic to run the code server side. Because I believe we wont be able to access those variables client side. |
Problem
The current documentation suggests prefixing API keys with NEXT_PUBLIC for environment variables in Next.js applications. However, this could potentially lead to security vulnerabilities as these keys may inadvertently be exposed to the client side.
Solution
The official Next.js documentation source recommends not using the NEXT_PUBLIC prefix for sensitive environment variables, such as API keys. By removing the prefix, these variables remain private and can only be accessed on the server, minimizing the risk of unintentional client-side exposure.
Reference
Next.js documentation advises against using the NEXT_PUBLIC prefix for sensitive environment variables:
The text was updated successfully, but these errors were encountered: