Env Exposure

Server env vars in client components, .env not in .gitignore

criticalSecurityenv-exposure

Why this matters

Server-only env vars accessed in client components get bundled into JavaScript that ships to every user's browser. Your database URL, API keys, and secrets become public.

✗ Bad

"use client";

export function ApiStatus() {
  // This gets bundled into client JS
  const url = process.env.DATABASE_URL;
  return <span>{url ? "Connected" : "Down"}</span>;
}

✓ Good

"use client";

export function ApiStatus() {
  // Only NEXT_PUBLIC_ vars are safe in client code
  const url = process.env.NEXT_PUBLIC_API_URL;
  return <span>{url ? "Connected" : "Down"}</span>;
}

How to fix

Never reference server-only env vars in 'use client' files. Use NEXT_PUBLIC_ prefix for values that are safe to expose. Fetch server data via API routes or server components instead.

All rules