Can server actions/components leak environmental variables?
Answered
Netherland Dwarf posted this in #help-forum
Netherland DwarfOP
Hey! Quick question, I'm using supabase for my database and I'm fetching anything on the database on server components/actions. Supabase has me provide an API key that should never be seen by the client, and I'm curious whether I call server actions from client components or even render server components how can I verify that the API key is never shown on the client?
Answered by B33fb0n3
The can and can’t. The function runs 100% serverside, so there is no way anything will be leaked. But what if you return the env. variable to the client? Then: yes, server actions can leak env. variables. But as long as you watch out what you return back to the client, you are good to go 👍
5 Replies
Netherland DwarfOP
I have imported
import "server-only" but I just wanna know if there is anything else I should be aware of@Netherland Dwarf I have imported `import "server-only"` but I just wanna know if there is anything else I should be aware of
The can and can’t. The function runs 100% serverside, so there is no way anything will be leaked. But what if you return the env. variable to the client? Then: yes, server actions can leak env. variables. But as long as you watch out what you return back to the client, you are good to go 👍
Answer
@B33fb0n3 The can and can’t. The function runs 100% serverside, so there is no way anything will be leaked. But what if you return the env. variable to the client? Then: yes, server actions can leak env. variables. But as long as you watch out what you return back to the client, you are good to go 👍
Netherland DwarfOP
Alright cool, I'm guessing this is the same for server components as well?
Good to know man 🙏