New
Introducing React Doctor for Enterprise

react-doctor/no-secrets-in-client-code

Move secrets to server-only code. Public client environment variables are bundled into browser code and must not contain secrets

  • Category: Security
  • Severity: warn
  • Source: oxlint-plugin-react-doctor
  • Framework: global
  • Enabled when: always

Validation prompt

Use this to decide whether a fired diagnostic is real or a false positive.

Confirm a VariableDeclarator with a string-literal initializer longer than 24 chars where either (a) the variable name matches /(?:api_?key|secret|token|password|credential|auth)/i inside a file classifySecretFileExposure marks as "client", or (b) the value matches a well-known credential prefix (sk_live_, sk_test_, ghp_, gho_, github_pat_, glpat-, xox[bporas]-, AKIA[A-Z0-9]{16}). False positive: intentionally public anon keys (Supabase, PostHog) still match the patterns.

Fix prompt

Use this once validation confirms the diagnostic is real.

Move the value to a server-only environment variable (read via process.env in a Route Handler, Server Component, API route, or *.server.ts file) and never reference it from "use client" modules. For genuinely public keys, rename the variable to avoid the heuristic and document the public scope inline. See https://nextjs.org/docs/app/guides/environment-variables

More Security rules from the rules reference:

  • react-doctor/nosql-injection-risk: Building a NoSQL query from raw client input lets an attacker inject operator-shaped keys or `$where` code and read or alter data they should not.
  • react-doctor/package-metadata-secret: A secret or public-prefixed secret name in `package.json` leaks easily, because package metadata is routinely published to registries, logs, and browser bundles.
  • react-doctor/path-traversal-risk: Building a filesystem path from request input lets an attacker use `..` or absolute paths to read or write files outside the intended directory.
  • react-doctor/plugin-update-trust-risk: Downloading and running an update or plugin without verifying its integrity lets an attacker ship malicious code to your users.
  • react-doctor/postmessage-origin-risk: Reading `event.data` in a `message` handler without checking `event.origin` lets any other window send data your code trusts, which can lead to cross-site scripting or data theft.