[evilduck]

It's not just a naming convention it's part of the build/compilation step that will not bundle anything not specifically prefixed for the client, and is safe by default. You have to go out of your way to purposefully prefix an environment value with NEXT_PUBLIC_* to get it into the client bundle. I strongly doubt you've seen anyone screw this up by happenstance, maybe extreme laziness with copy and pasting but even then, the all caps naming requirement that includes "PUBLIC" is a big enough clue that I would consider it malice first.

This is also no worse than literally any SSR tool that's ever existed, going back to the CGI days.

[radicalbyte]

> It's not just a naming convention it's part of the build/compilation > step that will not bundle anything not specifically prefixed for > the client, and is safe by default.

Yeah no, it isn't safe-by-default. I caught a frontend team shipping keys in the frontend code. Cause? Typo and using default templates which built-on-deploy.

[evilduck]

Can you share a clear example? This still seems like a contrived complaint. How did someone fat finger typing that specific naming requirement prefix? Or how is leaking a value into a template like that not similarly a risk in Python or a Go backend that renders stuff on the server (like all the HTMX hype). It feels like you're saying that a fat client side SPA is the only answer to anything.