While trying to solve an unrelated issue I unpacked the netlify functions deployed on my site and noticed that they include my secret .env file in addition to the code. I am deploying a next 13.4.8 app with the pages directory with netlifys nextjs plugin.
Does it have to be like this, or have I configured something wrong?
Does this pose a security risk?
@skyzl That behavior appears to align with the Next.js documentation:
Loading Environment Variables
Next.js has built-in support for loading environment variables from.env*files intoprocess.env.
…
This loadsprocess.env.DB_HOST,process.env.DB_USER, andprocess.env.DB_PASSinto the Node.js environment automatically allowing you to use them in Next.js data fetching methods and API routes.
…
Non-NEXT_PUBLIC_environment variables are only available in the Node.js environment, meaning they aren’t accessible to the browser (the client runs in a different environment ).
…
Runtime Environment Variables
Next.js can support both build time and runtime environment variables.
By default, environment variables are only available on the server.
I can’t imagine it’d be a ‘security risk’ unless your ‘server functionality’ itself exposed a secret, for example a route that accessed the secret then just output it in a response.
Traditionally you want your secrets available on the server, just not on the client.
Ultimately since Netlify don’t produce Next.js, if your question is about Next.js configuration or Next.js behavior, your best bet would be asking their community, as they’ll have a better idea:
@nathanmartin thank you for your quick response.
I have noticed that the environment variables in the .env file are actually not loaded in the edge function by next.js. Instead the environment variables configured in the netlify dashboard are used. According to netlify these are encrypted. The .env file in the edge function bundle however is not.
Also it seems like the .env files are explicitly included by netlifys next plugin (refer to this commit). I don’t quite understand why it is necessary to include my secret env file in the bundle, especially since this behaviour is not documented and my local .env file might contain additional secrets, that I don’t want to publish anywhere.
@skyzl I couldn’t say, I also don’t work for Netlify.
But if you run your build command locally, and check the output, and it doesn’t contain what you want, then that’s being performed by Next.js and the question would be best posed for them.
If you don’t see any of that as the result of the local build, but do see it when it’s performed on Netlify, (as you mention regarding Netlify’s next plugin), then it is a relevant question for Netlify.
If environment vairbles are not added in the UI or if someone wants to load a different set of variables using dotenv, the files need to be included there for that to work.
Also, the commit that you’re referring to is incorrect. Since you’re using Next.js 13.4, there’s no way you could be using Runtime v5. You must be using Runtime v4 and this feature was added long back in it.