0

I am using .yml files in my next.js because of docker and using these .yml configurations in next.js runtimeConfig. These configs can be seen in browser network tab as these are attached with document response.

I know about the serverSideConfigs but some of the configurations needs to be used on front-end so I can't put them in serverSideConfig.

Is there any way I can hide these runtimeConfigs in network calls response?

Sallar Bhutto
  • 9
  • 4
  • "These configs can be seen in browser network tab as these are attached with document response." - Can you clarify what you mean by that? What are these configs, are they environment variables? If you're using them on the client they'll always be visible in the browser anyway. – juliomalves Oct 05 '21 at 12:12
  • Please clarify your specific problem or provide additional details to highlight exactly what you need. As it's currently written, it's hard to tell exactly what you're asking. – Community Oct 10 '21 at 04:30
  • Yes configs are the environment variables and the app is using these variables on client-side. – Sallar Bhutto Oct 14 '21 at 11:29
  • A third party did a security pentest of our Next.js application & found that IP's are shown in our error page's source. Those IP's are actually other applications URL to which our application can redirect. And these IP's are added in publicRuntimeConfig because app is using these on client-side and these are also configurable on runtime. Now, Next.js always attach those runtimeConfigs in the source. Is there is any workaround to hide this runtimeConfig for my error page in next.js? – Sallar Bhutto Oct 14 '21 at 11:46

1 Answers1

0

You can put all sensitive information in serverRuntimeConfig instead of publicRuntimeConfig in next.config.js

module.exports = {
    serverRuntimeConfig: {
     // Will only be available on the server side
      mySecret: 'secret',
      secondSecret: process.env.SECOND_SECRET, // Pass through env  variables
    },
    publicRuntimeConfig: {
     // Will be available on both server and client
      staticFolder: '/static',
    },
}
user3013823
  • 201
  • 2
  • 3
  • As you mentioned you can't use in serverRuntimeConfig, you can put them in the server configs use them in getServerSideProps or getInitialProps and then pass that to other components. It is also better to get those tokens through api and use a better encoding algorithm for sensitive data. – user3013823 Mar 11 '22 at 10:53