Security / Quiz

Secrets in Client Code

NEXT_PUBLIC exposure, source maps, publishable vs secret keys, and why a token in localStorage is XSS bait.

Difficulty
Easy
Format
Quiz
Points
100
Estimate
8 min

// MISSION BRIEF

Your Mission

Anything shipped to the browser is public, full stop. This quiz covers the client-side leak channels: framework public-env prefixes, production source maps, publishable vs secret keys, and where a session token is safest to live.

// FIRST CONTACT

Battle teaser

In a Next.js app, an env var prefixed NEXT_PUBLIC_ is:

  1. AInlined into the client bundle and readable by anyone; never put secrets there
  2. BAvailable only on the server
  3. CEncrypted before it reaches the browser
  4. DHashed so it cannot be read
Answers, scoring, hints, and the full battle stay sealed.

// SKILL TAGS

securitysecretsclient-sidetokens