Can a malicious actor easily access .env variables in nextJs that have the NEXT_PUBLIC prefix or as they just as safe as the other .env variables?
Asked
Active
Viewed 350 times
1
YulePale
- 6,688
- 16
- 46
- 95
1 Answers
2
Yes, NEXT_PUBLIC prefix allows NextJS to send the variable to the client's browser.
From the docs:
The value will be inlined into JavaScript sent to the browser because of the NEXT_PUBLIC_ prefix.
Don't use sensitive data with the NEXT_PUBLIC prefix.
Frederic Perron
- 777
- 4
- 19