Security
Environment Variables
The .env file in the root of the project is used for all packages. When you run a dev, build or other script, dotenv loads the variables into the environment.
⚠️
Do not commit your tokens and keys into the repository. Use the gitignored
.env files.
⚠️
Variables prefixed with NEXT_PUBLIC_ are available on the client, so do not
put anything secret in there.
Security Headers
As an extra measure, more secure headers are added to the web app to mitigate some risk. Take a look at the headers() property at apps/webbasic/next.config.js.
You can validate the headers by using these free tools
- securityheaders.com (opens in a new tab) - validate security headers;
- Google CSP evaluator (opens in a new tab) - validate Content-Security-Policy.