NEXT_PUBLIC_MEDUSA_BACKEND_URL- Why would we expose our backend url to the client?

medusajs / nextjs-starter-medusa

A performant frontend ecommerce starter template with Next.js 14 and Medusa.

https://next.medusajs.com/

MIT License

1.79k stars 497 forks source link

NEXT_PUBLIC_MEDUSA_BACKEND_URL- Why would we expose our backend url to the client? #344

Open sschweimler opened 4 months ago

sschweimler commented 4 months ago

Is there a specific reason why the backend url in .env.template is exposed to the client by using NEXT_PUBLIC? I think it's a bad idea because it makes the backend visible for potential attackers. If we need to access backend data on the client side, then we should use route handlers or server actions.

Deroswent commented 4 months ago

Totally supportive. This is a very bad idea.

But since this starter is very buggy, and is basically the starter from version 1, with minimal changes, I hope the developers will completely change it for version 2, where they will fix it.