HighFile-scopeJavaScript / TypeScript Plug & play

Never expose secrets to the client

Read secrets (process.env.*) only in Server Components, Route Handlers, or server actions. Client Components must use ONLY NEXT_PUBLIC_* variables.

Why this matters

Protects credentials and prevents leaks in the client bundle.

Side-by-side examples engineers can pattern-match during review.

Avoid

'use client'
console.log(process.env.STRIPE_SECRET_KEY)

Prefer

export async function GET(){ const key = process.env.STRIPE_SECRET_KEY; return NextResponse.json({ configured: !!key }) }

Bad

process.env.DB_URL inside a Client Component

Good

process.env.DB_URL inside a Route Handler

From the same buckets as this rule.

High
Keep 'use client' at the leaf: default to Server Components
Prefer Server Components for pages/layouts and move interactivity to small leaf Client Components. Only add 'use client' where browser APIs or event handlers are strictly necessary.
stack-nextjsstack-react+2
High
Make fetch caching explicit in Server Components
For dynamic data use { cache: 'no-store' } or file-level dynamic = 'force-dynamic'. For ISR use { next: { revalidate: N, tags: [...] } }.
stack-nextjsstack-react+2
High
Middleware only for light auth/rewrites
Keep middleware fast and side-effect free (no DB writes). Narrow the matcher and skip static assets. Use Route Handlers for heavy logic.
stack-nextjsstack-react+2