Server Environment Variables Accessible on Initial Render (SSR) - Security Concern?

On the initial render, it appears that server-side environment variables are accessible because Next.js performs Server-Side Rendering (SSR) for the first render. Is this not a security concern?


## First render:
<img width="1487" height="886" alt="Image" src="https://github.com/user-attachments/assets/cca878a2-2f71-4614-a114-0c643479b9e6" />

> my page is using "use client"
```
"use client";

import { env } from "next-runtime-env";

export default function Home() {
  return <pre>{JSON.stringify(env("HOME"), null, 2)}</pre>;
}

```

## Second render:
<img width="1483" height="855" alt="Image" src="https://github.com/user-attachments/assets/5d75ff33-0829-4c96-8417-38e668a23de6" />


Repo to reproduce it:https://github.com/dpnunez/runtime-env

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Server Environment Variables Accessible on Initial Render (SSR) - Security Concern? #187

First render:

Second render:

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Server Environment Variables Accessible on Initial Render (SSR) - Security Concern? #187

Description

First render:

Second render:

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions