Skip to content
Critiq Docs

Search docs

Search documentation pages and rules

security.misconfiguration

Keep secrets out of Nuxt public runtime config

Sensitive credentials must not be exposed through runtimeConfig.public, which is visible to client bundles.

#Metadata

Rule ID
ts.security.nuxt-public-runtime-secret
Severity
high
Confidence
0.86
Languages
javascript, typescript
Presets
recommended, security, strict
Stability
experimental
Applies to
block
Tags
nuxt, rules-catalog, security

#Why it matters

Nuxt exposes runtimeConfig.public to the browser; placing secret material there leaks API keys, database passwords, and signing material to every visitor.

#Remediation

Keep secrets in the private runtimeConfig tree (non-public) and expose only publishable identifiers to the client after reviewing Nuxt runtime config documentation.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.nuxt-public-runtime-secret.rule.yaml.

Back to directoryOpen rule in repository