Server secret exposed through a NEXT_PUBLIC_ variable
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
A NEXT_PUBLIC_ environment variable whose name reads as a server secret (SECRET, PASSWORD, PRIVATE_KEY, SERVICE_ROLE). Next.js inlines every NEXT_PUBLIC_ value into the client JavaScript bundle, so this ships the secret to every visitor.
Why it matters
Next.js replaces every NEXT_PUBLIC_ reference with its literal value when it builds the client bundle, so anything named this way ships to every browser that loads the page. A variable called NEXT_PUBLIC_..._SECRET or _PASSWORD is almost certainly a server credential that must never leave the server. Once it is in a shipped bundle it is public and has to be rotated.
How to fix it
Rename the variable to drop the NEXT_PUBLIC_ prefix and read it only in server code (Route Handlers, Server Components, getServerSideProps, or server actions). If the browser genuinely needs a value, expose a narrowly scoped public token instead of the secret, and rotate the leaked credential at its provider.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo