Skip to main content
Vercel Security Guide
Q&AVercel

Are NEXT_PUBLIC_ environment variables a security risk?

Environment variables prefixed with NEXT_PUBLIC_ are bundled into the client-side JavaScript and are visible to anyone who inspects your page source or network requests. This is by design in Next.js to allow client-side code to access configuration values. However, developers sometimes accidentally prefix sensitive values like API secrets, database connection strings, or private keys with NEXT_PUBLIC_, exposing them publicly. Only values that are safe to be public, such as analytics IDs or public API endpoints, should use this prefix. UNPWNED scans your deployed application for exposed environment variables and flags any that appear to contain sensitive credentials.

Check your Vercel app now

Run free security scan

Last reviewed: 2026-04-07. Based on publicly available security research and UNPWNED scan telemetry.

Related Questions

Is Vercel secure by default?What are the most common Vercel security mistakes?

More Vercel Security Questions

Is Vercel secure by default?Does Vercel add security headers automatically?How do I add a Content Security Policy on Vercel?Are Vercel preview deployments secure?How secure are Vercel Serverless Functions?How do I secure my Vercel deployment?