Security of secrets added to next.config.js

Question

We are working adding Auth0 to our Next.js website and referencing this example.

What I am wondering about is the settings in next.config.js in the example. It puts the Auth0 and other secrets in the client (via Webpack). Doesn't this put these secrets at risk? Since they are somewhere in the client code, there is a chance that a request can be made to access the secrets.

Examples in this Auth0 article also puts the secrets in the client.

I haven't had much luck finding out how Webpack handles the variables and am looking to the community to shed some light on this. We are trying to ensure our pattern is safe before putting it in to place.

From example, secrets being added to client side next.config.js:

const dotenv = require('dotenv')
dotenv.config()

module.exports = {
  env: {
    AUTH0_DOMAIN: process.env.AUTH0_DOMAIN,
    AUTH0_CLIENT_ID: process.env.AUTH0_CLIENT_ID,
    AUTH0_CLIENT_SECRET: process.env.AUTH0_CLIENT_SECRET,
    AUTH0_SCOPE: 'openid profile',
    REDIRECT_URI:
      process.env.REDIRECT_URI || 'http://localhost:3000/api/callback',
    POST_LOGOUT_REDIRECT_URI:
      process.env.POST_LOGOUT_REDIRECT_URI || 'http://localhost:3000/',
    SESSION_COOKIE_SECRET: process.env.SESSION_COOKIE_SECRET,
    SESSION_COOKIE_LIFETIME: 7200, // 2 hours
  },
}

Answer 1

Update - Next v9.4:

Since Next.js v9.4, it exposes only env variables with the prefix NEXT_PUBLIC_ to the browser. For more info, read this

---

Original answer:

DON'T put any secret env variables in a place that is accessible to the client.

I'm not sure what next does with this env property, It just configures a webpack DefinePlugin that replaces usages of process.env.VAR to it's value.

So, this means that your secrets will be inside bundles that are public.

To confirm that it is exposed in the client,

1. open dev-tools
2. open console by pressing esc
3. click on the search tab
4. enter your secret key

It will find it in one of the bundles.