Security
Environment Variables
The .env
file in the root of the project is used for all packages. When you run a dev, build or other script, dotenv
loads the variables into the environment.
⚠️
Do not commit your tokens and keys into the repository. Use the gitignored
.env
files.
⚠️
Variables prefixed with NEXT_PUBLIC_
are available on the client, so do not
put anything secret in there.
Security Headers
As an extra measure, more secure headers are added to the web app to mitigate some risk. Take a look at the headers()
property at apps/webbasic/next.config.js
.
You can validate the headers by using these free tools
- securityheaders.com (opens in a new tab) - validate security headers;
- Google CSP evaluator (opens in a new tab) - validate Content-Security-Policy.