The Env Variable Name Was Gone From the Bundle. The Value Wasn't.
The OopsSec Store challenge highlights a common misconfiguration in Next.js applications: using NEXT_PUBLIC_ prefixed environment variables for secrets. These variables are substituted into the client-side JavaScript bundle at build time, making their values accessible to any user who inspects the network panel or static chunks under /_next/static/chunks/. In the challenge, a payment credential stored under NEXT_PUBLIC_PAYMENT_SECRET is forwarded as the X-Payment-Auth header from the checkout page. Recovering the value requires only a single request inspection in the browser. The application can be run locally via `npx create-oss-store oss-store` or with Docker using `docker run -p 3000:3000 leogra/oss-oopssec-store`. This serves as a practical reminder that environment variables intended for client-side use should never contain sensitive data, as they are effectively public.
Developers must never store secrets in NEXT_PUBLIC_ variables, as they are exposed to all clients.