Skip to content
← Back to Glossary
Secret Exposure Checked by Vezraa

Secrets in Environment Variables

Improper management of secrets through environment variables in client-accessible contexts.

While env vars are good for backend config, NEXT_PUBLIC_* variables in Next.js are inlined into client bundles. Any secret prefixed with NEXT_PUBLIC_ is visible in the browser. Use server-only env access and proxy sensitive API calls.

Related Terms

See this vulnerability in the database

See if your app is vulnerable

Vezraa checks for this security issues. Scan in 25 seconds.

Secrets in Environment Variables — Security Glossary | Vezraa