Security / Quiz
Secrets in Client Code
NEXT_PUBLIC exposure, source maps, publishable vs secret keys, and why a token in localStorage is XSS bait.
- Difficulty
- Easy
- Format
- Quiz
- Points
- 100
- Estimate
- 8 min
// MISSION BRIEF
Your Mission
Anything shipped to the browser is public, full stop. This quiz covers the client-side leak channels: framework public-env prefixes, production source maps, publishable vs secret keys, and where a session token is safest to live.
// FIRST CONTACT
Battle teaser
In a Next.js app, an env var prefixed NEXT_PUBLIC_ is:
- AInlined into the client bundle and readable by anyone; never put secrets there
- BAvailable only on the server
- CEncrypted before it reaches the browser
- DHashed so it cannot be read
Answers, scoring, hints, and the full battle stay sealed.
// SKILL TAGS
securitysecretsclient-sidetokens