Secret env variables are exposed client-side

[notorigine]

Hi Dato and happy new year!

Just noticed that when using runTimeConfig.public, these env variables are exposed on the front-end; wouldn't it be better to only have them exposed server-side to avoid exposing these CDA token publicly?

Added screenshots for clarity:

Thank you!

[stefanoverna]

Happy new year too!

Hmm, I tried to make the token private: the server-side page generation is all OK, but the rehydration then fails because on the client side useQuery() cannot find the token. What is the best practice in these cases with Nuxt?

rehydration.mp4

[notorigine]

I'm not too sure to be honest - maybe the best practice would be to make useQuery() a server-side composable so that it has access to the relevant API token?

[stefanoverna]

Got it. Do you have any links discussing server-side composable by any chance?