NEXT_PUBLIC_ Sensitive

NEXT_PUBLIC_ prefix on secret env vars

criticalSecuritynext-public-sensitive

Why this matters

The NEXT_PUBLIC_ prefix tells Next.js to inline the value into client-side JavaScript. If you prefix a secret key this way, it ships to every browser that loads your app.

✗ Bad

# .env
NEXT_PUBLIC_STRIPE_SECRET_KEY=sk_live_abc123
NEXT_PUBLIC_DATABASE_URL=postgres://admin:pass@host/db

✓ Good

# .env
STRIPE_SECRET_KEY=sk_live_abc123
DATABASE_URL=postgres://admin:pass@host/db
NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=pk_live_xyz789

How to fix

Only use the NEXT_PUBLIC_ prefix for values that are safe to be public (publishable keys, API URLs). Keep secret keys, database URLs, and tokens without the prefix.

All rules