Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Environment variables exposed on the client #18269

Closed
BenjaminWFox opened this issue Oct 26, 2020 · 3 comments
Closed

Environment variables exposed on the client #18269

BenjaminWFox opened this issue Oct 26, 2020 · 3 comments

Comments

@BenjaminWFox
Copy link

Bug report

Describe the bug

Environment variables which do not use the NEXT_PUBLIC_ prefix are inlined in built static files and exposed to the client despite the documentation seeming to suggest otherwise.

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:
Example repo: https://github.com/BenjaminWFox/nextjs-environment-variable-examples
Deployed app: https://nextjs-environment-variable-examples.vercel.app/

You can see that variable is inlined into the static .html: https://github.com/BenjaminWFox/nextjs-environment-variable-examples/blob/main/.next-demo/server/pages/index.html#L33

It appears that the intent is then to strip this out before the page is viewed on the client, but refreshing quickly or simulating a slow connection displays the variable prior to it being stripped out.

Expected behavior

I would expect that a static page would not be allowed to use non-public environment variables.

Screenshots

GIF shows the non-public variable visible on refreshing the page:
out

System information

  • Browser [chrome]
  • Version of Next.js: [9.5.5]
  • Version of Node.js: [12.13.1 locally]

Additional context

I saw this while trying to better understand the behavior of environment variables generally, so not sure if there was something else I might be doing wrong.
@merodiro
Copy link

the reason it appears on the first render and then disappears when the page loads is that the first render is from the server/generated HTML where it has these all env variables available but it disappears when react hydrate finishes because the env isn't available in the client bundle

@BenjaminWFox
Copy link
Author

I get that, but considering the docs it would be easy for someone to make a mistaken assumption about how safe their environment variables actually were. They are exposed to the browser, albeit briefly.

By default all environment variables loaded through .env.local are only available in the Node.js environment, meaning they won't be exposed to the browser.

So if not a bug maybe just a 'needs clarification'?

@BenjaminWFox
Copy link
Author

In a similar vein, SSG files that use process.env.* values can use any value from the .env/.env.local file without requiring the NEXT_PUBLIC_ prefix.

I feels like I should get an error when building in this case, and be required to prefix any environment variables for SSG files with NEXT_PUBLIC_.

@vercel vercel locked and limited conversation to collaborators Apr 12, 2021

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@timneutkens @BenjaminWFox @merodiro