Instrumenting Next.js with runtime secret injection
9 months ago
- #Runtime Secrets
- #Next.js
- #Security
- Next.js 14 introduces an instrumentation feature that allows running custom logic at application startup via an `instrumentation.ts/js` file.
- The `register()` function in the instrumentation file is ideal for initializing services like logging, telemetry, or runtime secret injection.
- Runtime secret injection via instrumentation keeps secrets out of code, version control, and build artifacts, enhancing security and portability.
- Using `.env` files for secrets in Next.js has drawbacks, including security risks and poor scalability, making secret management tools a better alternative.
- A demo setup involves creating an `instrumentation.ts` file to fetch secrets from a service like Phase and inject them into the global scope (`globalThis.secrets`).
- Secrets can be accessed throughout the application via `globalThis` or through a controlled module-local cache for better security.
- Client-side environment variables should avoid `NEXT_PUBLIC_` prefix; instead, pass values as props from server to client components or use context providers.
- This approach ensures secrets are only available in the Node.js runtime and are not exposed to the client unnecessarily.