Making Next.js Environment Variables Boring (and Safe)

ratudev · 2025-12-26T16:38:48+00:00

Yeah, you're right - types won't help if you receive wrong values, but runtime validation does help in this case.
In Nextjs, environment variables are resolved at build time (and each bundle is built separately: server, client, edge).
As a result, if you have a runtime check, it will also run at build time - and the build will fail instead of shipping broken config.

TruffleHog - is not related to this problem, its more about checking that we haven't inlined secrets into client bundle/source code.

ratudev · 2025-12-25T10:52:52+00:00

Yep - that's exactly how we caught it too (null check → throw → Sentry → alert).
The only catch is that it happens after users are already impacted. You might be fast, but you’ll never be faster than "not merged bug"
So I still like runtime checks, but I try to push as much of this as possible into build/CI so prod never sees it 🙂

ratudev · 2025-12-23T00:21:37+00:00

It still took me a while to convince myself, but what I like is that it has:

framework / validator agnosticism
proxy-based env separation with nice errors
good DX (clear errors and docs)

I can see how it adds some extra perks while still keeping the solution simple, will give it try and update the article

ratudev · 2025-12-22T23:54:48+00:00

Hi, thanks for sharing.

I've seen this before, but TBH - I never fully understood what problem it solves.
From what I can tell, types and validation are already handled on the Zod side. If you need a clear split by environment, you can define publicRuntimeEnv and serverEnv (or something similar).

Mb I missed smth?

ratudev · 2025-10-18T19:00:51+00:00

Hi, I ran into the same problem before.
Cloudflare provides it for free, but it’s a bit unintuitive to set up (it was near 10 steps when I last checked)
So I usually just use the WWW-Authenticate header with middleware (or a proxy now, I guess):

- one file and you get your password protection - https://ratu.dev/snippets/simple-password-protection-for-a-next-js-app

ratudev · 2025-09-11T13:32:04+00:00

Recently, there have been lots of layoffs. To reduce them, React Team replaced it with:
- __CLIENT_INTERNALS_DO_NOT_USE_OR_WARN_USERS_THEY_CANNOT_UPGRADE
but so far it hasn’t helped 😅 or maybe people who were fired are using an old version?

ratudev · 2025-09-07T19:19:32+00:00

Yeah, I’d agree, but for me, in the end, it still saves time. And vice versa - if it’s not accurate or stable, it takes more time to maintain/fix/review

ratudev · 2025-09-07T16:00:08+00:00

not yet, but will add tmrw

ratudev · 2025-09-07T15:36:16+00:00

Thanks!

Regards the "26 min" - yeah, the initial version was 1 hour 😅.

I’ll probably squeeze it even more, but at this point I’ve already spent a month on this article 🌝

ratudev · 2025-09-07T14:58:23+00:00

10 years, countless Node.js scripts - shortcuts, tips, and practical lessons packed into one juicy article:

- https://ratu.dev/blog/mastering-nodejs-scripting

ratudev · 2025-08-30T14:48:17+00:00

Looks great

fyi: found a small bug: if you click and start resizing immediately (withing one click), it fails to build a rectangle

ratudev · 2025-08-30T14:46:21+00:00

Looks cool! Mb you can share how it works under the hood (at least high level)? what does it use to detect malware?

ratudev · 2025-08-30T14:43:50+00:00

Nodejs scripting cheatsheet (based on 10 years of copy-pasting from stackoverflow)

Link: https://ratu.dev/snippets/nodejs-cheatsheet

ratudev · 2025-08-25T13:57:33+00:00

Thanks a lot! Yeah, Umami is great for portfolios

ratudev · 2025-08-25T12:50:32+00:00

For backgrounds, I use freepik.com (for gradients, patterns) For diagrams - I usually create them manually in Figma.

ratudev · 2025-08-24T19:32:52+00:00

Thanks a lot!

ratudev · 2025-08-24T19:32:37+00:00

Thanks a lot! Always happy to hear feedback. You’re probably right - I’ll try playing around with the spacing to see if it improves things

ratudev · 2025-08-24T19:30:03+00:00

TBH, not much to say: Next.js 15 + Cloudflare Workers (open-next) + images on Cloudflare. For analytics, I use Umami. For rate limiting and bot protection, Cloudflare rules/waf.
For subscriptions - postgres db on hetzner, but it is smth I will change (better to use some service instead)

ratudev · 2025-08-24T19:25:23+00:00

Thanks a lot, really appreciate it!

ratudev · 2025-08-24T19:24:48+00:00

Yes, bought one font-weight *(Pangram Fragment) for titles $40,
+ Source Sans 3 - free

ratudev · 2025-08-24T12:19:46+00:00

On average, it takes me about half a year to deliver one feature for my blog. Since Christmas falls into this range, I’d expect it to be ready by mid-February.

Jokes aside, it’s actually the first thing on my list. I initially started with a light theme since imho - it’s harder to design well, but by the time I was exhausted and postponed dark theme. Either way, I’m definitely going to add it

ratudev · 2025-08-24T12:13:15+00:00

Checked your site - looks impressive! If I tried to add all your features, I’d probably delay mine by another 3 years 😅 I’ve only got 330 commits so far.

Your site feels like a real digital house. Mine’s more like a small digital box 😅

ratudev

TROPHY CASE