The latest articles on DEV Community by Sandeep Bansod (@sandeepbansod). https://dev.to/sandeepbansod https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3862004%2F98e0b4d6-409e-4e2a-a1af-9d4e79da48f2.png https://dev.to/sandeepbansod en Sandeep Bansod Sun, 05 Apr 2026 09:09:00 +0000 https://dev.to/sandeepbansod/environment-variables-youre-leaking-to-the-frontend-without-knowing-it-1hb9 https://dev.to/sandeepbansod/environment-variables-youre-leaking-to-the-frontend-without-knowing-it-1hb9 <p>You added <code>NEXT_PUBLIC_</code> to your API key "just to test something quickly". That was six months ago. It's still there.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Favmo2c6wss9j3qgbcipe.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Favmo2c6wss9j3qgbcipe.png" alt=" " width="800" height="419"></a></p> <p>Most developers know the rule: secret keys go in <code>.env</code>, never in client code. But the actual leaks aren't that obvious. They don't happen because someone is careless — they happen because the tooling is confusing, the error messages are silent, and the mistakes look completely fine until someone opens DevTools or pulls your bundle.</p> <h2> Mistake 1 — The NEXT_PUBLIC_ prefix on secrets </h2> <p>Next.js exposes any variable prefixed with <code>NEXT_PUBLIC_</code> to the browser. That's by design. The problem is developers reach for it the moment they hit a "variable is undefined" error on the client side — without asking <em>why it's undefined</em>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># .env.local # Fine — this is meant to be public NEXT_PUBLIC_API_URL=https://api.example.com # DANGER — now exposed in every JS bundle NEXT_PUBLIC_STRIPE_SECRET_KEY=sk_live_xxxxxxxxx NEXT_PUBLIC_DATABASE_URL=postgres://user:password@host/db </code></pre> </div> <p>Anyone can open your deployed site, go to Network → JS files, search for <code>sk_live_</code> and find it.</p> <p>Stripe secret keys have a very recognizable prefix. So do AWS access keys (<code>AKIA</code>), Supabase service role keys, and SendGrid API keys.</p> <p>The fix: if your key is only used in API routes or server components, it should never have <code>NEXT_PUBLIC_</code>. Call a backend route instead.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Wrong — secret key exposed to client</span> <span class="kd">const</span> <span class="nx">stripe</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Stripe</span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_STRIPE_SECRET_KEY</span><span class="o">!</span><span class="p">);</span> <span class="c1">// Right — only used in /api/checkout/route.ts (server-side)</span> <span class="kd">const</span> <span class="nx">stripe</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Stripe</span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">STRIPE_SECRET_KEY</span><span class="o">!</span><span class="p">);</span> </code></pre> </div> <h2> Mistake 2 — Vite's import.meta.env and the VITE_ prefix </h2> <p>Vite works exactly the same way. Any variable prefixed with <code>VITE_</code> gets statically inlined into your bundle at build time. It's not fetched at runtime — it's literally copied into your JavaScript.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>VITE_API_URL=https://api.example.com # fine VITE_SUPABASE_ANON_KEY=eyJhbGciOiJIUzI1Ni # fine VITE_SUPABASE_SERVICE_KEY=eyJhbGciOiJIUzI1Ni... # never prefix this </code></pre> </div> <p>Run <code>npm run build</code> then open <code>dist/assets/index-xxxx.js</code> and search for your key. You'll find it in plain text, wrapped in production whatever.</p> <h2> Mistake 3 — process.env in bundled client code </h2> <p>With Create React App or older webpack setups, <code>REACT_APP_</code> variables get inlined. But even without that pattern, developers sometimes write shared utility files that get pulled into the client bundle without realizing it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// utils/config.ts — imported by both client and server code</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="p">{</span> <span class="na">apiUrl</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">API_URL</span><span class="p">,</span> <span class="na">stripeKey</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">STRIPE_SECRET_KEY</span><span class="p">,</span> <span class="p">};</span> </code></pre> </div> <p>The safe pattern: never import server config into code that's shared with the client.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// lib/server-config.ts — only imported in server files</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">serverConfig</span> <span class="o">=</span> <span class="p">{</span> <span class="na">apiUrl</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">API_URL</span><span class="p">,</span> <span class="na">stripeKey</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">STRIPE_SECRET_KEY</span><span class="p">,</span> <span class="p">};</span> <span class="c1">// lib/client-config.ts — safe to import anywhere</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">clientConfig</span> <span class="o">=</span> <span class="p">{</span> <span class="na">apiUrl</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_API_URL</span><span class="p">,</span> <span class="p">};</span> </code></pre> </div> <h2> Mistake 4 — Exposing .env through source maps </h2> <p>You've been careful with your variables. But did you ship source maps to production? Source maps reconstruct your original source code in the browser. If your server-side code ends up in a source map in your production build, the DevTools Sources tab will show the original file — including any hardcoded fallbacks.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// A common but dangerous pattern</span> <span class="kd">const</span> <span class="nx">key</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">STRIPE_SECRET_KEY</span> <span class="o">||</span> <span class="dl">"</span><span class="s2">sk_live_fallback_for_dev</span><span class="dl">"</span><span class="p">;</span> </code></pre> </div> <p>In Next.js, make sure source maps stay off in production:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// next.config.js</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="p">{</span> <span class="na">productionBrowserSourceMaps</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="c1">// default is false — make sure it stays that way</span> <span class="p">};</span> </code></pre> </div> <p>For Vite:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// vite.config.ts</span> <span class="k">export</span> <span class="k">default</span> <span class="nf">defineConfig</span><span class="p">({</span> <span class="na">build</span><span class="p">:</span> <span class="p">{</span> <span class="na">sourcemap</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="c1">// or "hidden" if you need them for error tracking only</span> <span class="p">},</span> <span class="p">});</span> </code></pre> </div> <h2> Mistake 5 — The API debug route you forgot to remove </h2> <p>This one is embarrassing but common. During local debugging, you add a quick route to dump env state. You commit it. It goes to production.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>https://yourapp.com/api/debug </code></pre> </div> <p>Now returns every single environment variable on your server.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// pages/api/debug.ts</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">handler</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">env</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span> <span class="p">});</span> <span class="c1">// must never go to production</span> <span class="p">}</span> </code></pre> </div> <h2> How to audit what you're actually shipping </h2> <p>Build your app and grep the bundle for known secret patterns:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Next.js</span> npm run build <span class="nb">grep</span> <span class="nt">-r</span> <span class="s2">"sk_live</span><span class="se">\|</span><span class="s2">AKIA</span><span class="se">\|</span><span class="s2">password</span><span class="se">\|</span><span class="s2">secret"</span> .next/static/chunks/ <span class="c"># Vite</span> npm run build <span class="nb">grep</span> <span class="nt">-r</span> <span class="s2">"sk_live</span><span class="se">\|</span><span class="s2">AKIA</span><span class="se">\|</span><span class="s2">password</span><span class="se">\|</span><span class="s2">secret"</span> dist/assets/ </code></pre> </div> <h2> Common mistakes </h2> <ul> <li>Prefixing secrets "temporarily" to fix a client-side undefined error — the root cause is architectural, not a missing prefix</li> <li>Sharing a single config file between server and client code — split them and enforce it with ESLint import rules</li> <li>Using fallbacks with real keys — <code>process.env.KEY || "real-key-here"</code> defeats the entire point</li> <li>Forgetting that third-party SDKs initialized client-side log their config (Sentry, Supabase, Firebase initialized with wrong keys expose them in network requests)</li> </ul> <h2> The takeaway </h2> <p>The leaks that hurt you aren't the obvious ones — they're the subtle ones. Every time you see <code>NEXT_PUBLIC_</code>, you added in a rush, the shared config file that got bundled, the debug route that made it to production. Build a habit: before any deploy, grep your bundle for known secret patterns, keep a hard separation between server and client config, and treat every environment variable as guilty until proven safe to expose.</p> <p>If you found this useful, I write about TypeScript, Node.js, Security and DevOps at stackdevlife.com — drop a follow if you'd like more!</p> <p><em>Originally published at <a href="https://www.stackdevlife.com/blog/environment-variables-leaking-frontend" rel="noopener noreferrer">stackdevlife.com</a></em></p> webdev security devops typescript