|
| 1 | +# Nuxt warnings |
| 2 | + |
| 3 | +`dotenv-diff` includes Nuxt-specific rules to catch unsafe or unreliable environment variable usage. |
| 4 | + |
| 5 | +This page reflects the currently implemented rule behavior and targets Nuxt 3. |
| 6 | + |
| 7 | +## Background |
| 8 | + |
| 9 | +Nuxt exposes runtime configuration through `runtimeConfig` (private, server-only) and `runtimeConfig.public` (exposed to the client), accessed via `useRuntimeConfig()`. |
| 10 | + |
| 11 | +In production, `.env` files are **not** read at runtime, and `process.env` is **not** populated in the browser. Environment variables only override runtime config when prefixed with `NUXT_` (private) or `NUXT_PUBLIC_` (public). |
| 12 | + |
| 13 | +## 1 `process.env` in client/universal code |
| 14 | + |
| 15 | +`process.env` is unreliable outside server code: it is not available in the browser, and `.env` files are not read at runtime in production. |
| 16 | + |
| 17 | +```vue |
| 18 | +<script setup lang="ts"> |
| 19 | +const key = process.env.API_SECRET; // ⚠️ |
| 20 | +</script> |
| 21 | +``` |
| 22 | + |
| 23 | +Warning: |
| 24 | + |
| 25 | +`process.env is not available in the browser; use useRuntimeConfig() instead` |
| 26 | + |
| 27 | +## 2 Sensitive-looking `NUXT_PUBLIC_` names trigger exposure warnings |
| 28 | + |
| 29 | +If a `NUXT_PUBLIC_` variable contains `SECRET`, `PRIVATE`, or `PASSWORD`, a warning is produced — these values are exposed to the browser. |
| 30 | + |
| 31 | +```ts |
| 32 | +process.env.NUXT_PUBLIC_API_SECRET; |
| 33 | +``` |
| 34 | + |
| 35 | +Warning: |
| 36 | + |
| 37 | +`Potential sensitive environment variable exposed to the browser` |
| 38 | + |
| 39 | +## What is allowed |
| 40 | + |
| 41 | +`process.env` is allowed in server-only contexts without framework warnings: |
| 42 | + |
| 43 | +- The Nitro `server/` directory (`server/api`, `server/routes`, `server/middleware`, etc.) |
| 44 | +- `.server.` suffixed files (for example `plugins/auth.server.ts`) |
| 45 | +- `nuxt.config.{ts,js,mjs,cjs}` (where env vars feed `runtimeConfig`) |
| 46 | + |
| 47 | +## Summary of rules |
| 48 | + |
| 49 | +- `process.env` in client/universal code → use `useRuntimeConfig()` |
| 50 | +- Sensitive names in `NUXT_PUBLIC_*` → warning |
| 51 | + |
| 52 | +## Best practices |
| 53 | + |
| 54 | +- Use `runtimeConfig` / `useRuntimeConfig()` instead of reading `process.env` directly in app code |
| 55 | +- Only put browser-safe values under `runtimeConfig.public` / `NUXT_PUBLIC_*` |
| 56 | +- Keep secrets in server-only code paths (`server/`, `.server.` files) |
0 commit comments