Security risk?

[Fedeorlandau]

contentstack-nextjs-starter-app/next.config.js

Line 5 in 4053aff

const config = {

https://nextjs.org/docs/pages/api-reference/next-config-js/runtime-configuration

Why are you exposing the management keys to the client? Isn't that dangerous (even if they are read-only)?

Thanks

[Amitkanswal]

HI @Fedeorlandau thanks for reaching out, Currently our Nextjs starter app is using CSR/Live Preview so for that we need tokens to be available on the client side. We will be planning to update Nextjs LP to SSR, that way we can save management tokens as server private keys.

[bramski]

This method of setting environment variables using nextPublicConfig is deprecated. This example is used regularly and should be updated to the current nextJS standards.