Private environment variables

[Nick-Mazuk]

Is your feature request related to a problem? Please describe.

Currently, all environment variables can be exposed in the browser. As per the Vite docs:

Since any variables exposed to your Vite source code will end up in your client bundle, VITE_* variables should not contain any sensitive information.

This exposes a potential security risk with API secrets.

Describe the solution you'd like

Next.js has an elegant solution where are not exposed to the browser by default. To make an environment variable public, it needs to begin with NEXT_PUBLIC.

A similar solution would work really well.

All vite environment variables can be private by default. But by using VITE_PUBLIC, they can be exposed to the browser as well.

Describe alternatives you've considered

In the meantime, I'm likely just going to use this system myself and be careful to not reveal private variables in the browser.

How important is this feature to you?

Fairly important. Keeping API secrets a secret is quite important, and if the framework were to do that automatically, it saves lots of time double-checking "is the code only running on the server?" as well as removes all potential for human error.

[benmccann]

I'm going to close this in favor of vitejs/vite#3176. We'd like all environment variables to be exposed on the server and the VITE_ ones globally available