Data Handling & Secrets (Frontend Standard)
This document defines baseline rules for:
- environment variables (
.env,NEXT_PUBLIC_*) - secrets handling
- PII handling in the browser and on the Next.js server
Environment variables
.env files (local-only)
.envfiles are local development only.- They must be ignored by git.
- Each repo must provide a committed
.env.examplewith placeholders only.
Server vs client environment variables
- Server-only: anything that must not ship to the browser (secrets, internal base URLs).
- Client-exposed: variables prefixed with
NEXT_PUBLIC_.
Rule: never put any of the following into NEXT_PUBLIC_*:
- backend internal/private base URLs
- access/refresh tokens
- API keys or secrets
Railway internal/private URLs
Internal/private service hostnames must be treated as server-only and used only by Route Handlers (or other server runtime code). The browser cannot reach them.
PII handling
Minimize
- Only collect/store PII that the product needs.
- Avoid sending PII to analytics by default.
Logging rules
Server-side Next.js logs must never include:
- access/refresh tokens
- cookies
- Authorization headers
- passwords
- raw request bodies unless explicitly reviewed and redacted
Client-side logging:
- do not log PII or secrets
- do not log raw server error payloads if they might contain sensitive detail