Will It Vibe logoWill It Vibe?
NEXT-001High severity-15 points

Server secret exposed through a NEXT_PUBLIC_ variable

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

A NEXT_PUBLIC_ environment variable whose name reads as a server secret (SECRET, PASSWORD, PRIVATE_KEY, SERVICE_ROLE). Next.js inlines every NEXT_PUBLIC_ value into the client JavaScript bundle, so this ships the secret to every visitor.

Why it matters

Next.js replaces every NEXT_PUBLIC_ reference with its literal value when it builds the client bundle, so anything named this way ships to every browser that loads the page. A variable called NEXT_PUBLIC_..._SECRET or _PASSWORD is almost certainly a server credential that must never leave the server. Once it is in a shipped bundle it is public and has to be rotated.

How to fix it

Rename the variable to drop the NEXT_PUBLIC_ prefix and read it only in server code (Route Handlers, Server Components, getServerSideProps, or server actions). If the browser genuinely needs a value, expose a narrowly scoped public token instead of the secret, and rotate the leaked credential at its provider.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks