SECURITY WARNING: Insecure usage of env variables!
TimMikeladze opened this issue · comments
SECURITY WARNING: Anyone who uses this repository as an example, be aware that the usage of env variables is not secure and you will leak your secret keys to the browser, allowing complete access to your stripe and sanity apis to any user who inspects the bundled Javascript.
Do not use this example without renaming your .env
variables` and reading up on how environment variables in NextJS work!
See the .env
file in this repo.
Any variable prefixed with NEXT_PUBLIC_
will be exposed to the browser. Read docs here: https://vercel.com/docs/concepts/projects/environment-variables
STRIPE_SECRET_KEY
must not be exposed be made public. From the Stripe docs concerning the secret key: "On the server-side. Must be secret and stored securely in your web or mobile app’s server-side code (such as in an environment variable or credential management system) to call Stripe APIs." Read docs here: https://stripe.com/docs/keys
NEXT_PUBLIC_SANITY_TOKEN
must only be used on the server, see docs here: https://www.sanity.io/docs/http-auth
NEXT_PUBLIC_SANITY_TOKEN = skqX4kdZKQRvszcSCIm7xQgzfu7lab7cgdpdeVnHr3AZ1Bzhv40Mqf7lQWQis6Wh5rnb8NzWr6vyQ0enw9SJCCOeAkT18GCdE70DYw2YPhIF26U3TM02qPEoZm8zcy8vBhu3RAvZvTs2vYfGdO8lDGMszusMbsPdBKMYRN3WiXqfeeJqkvdK
NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY = pk_test_51Hqmw9EnylLNWUqj3gbIK3wHZBXqH0HegicIlGA0etfwS9a5JpESWoFucZHdnWMp0q6xq6thYSZghQUSpLkE46wJ00HrkNMsOV
NEXT_PUBLIC_STRIPE_SECRET_KEY = sk_test_51Hqmw9EnylLNWUqjP36GV1DkreuhVt1E4l7L1y7YwhvjES8OylYVpKjpIxTjv1FqKWq81pZWBjycNIJH9n1jfI7800n4seyJCH