Prevent developers from using secrets in client-side code
I've read up on server only components/etc, but it's not immediately clear to me if there is a way to prevent developers from accidentally using server code in the client. Is there anything that Nuxt does to prevent this similar to what SvelteKit does here https://kit.svelte.dev/docs/server-only-modules#how-it-works ? Basically, just want to disallow importing or invoking functions from the server directory in the client outside of fetching the endpoint.
SvelteKit docs
Server-only modules • SvelteKit documentation
3 Replies
we don't have "server-only" modules in Nuxt except things in the server folder (which should be only used in the "Nitro"-part, so the server part of your app, before Vue and Nuxt even boot up). These are for example not auto imported and it'd be more difficult to add them.
What you accidentally could do is using non-public runtime config but there is a warning on that now
Ah, interesting. Is using the runtimeConfig required at runtime or can I just use process.env as long as those env_vars are set in my server host at runtime (and in .env during dev)? Or are there any security concerns with doing this with nuxt?
You need runtime config