Secret Exposure Checked by Vezraa
Secrets in Environment Variables
Improper management of secrets through environment variables in client-accessible contexts.
While env vars are good for backend config, NEXT_PUBLIC_* variables in Next.js are inlined into client bundles. Any secret prefixed with NEXT_PUBLIC_ is visible in the browser. Use server-only env access and proxy sensitive API calls.