How to trust that server didn’t leak to client?
How can I trust and ensure that server privates didn’t leak into client?
I tried using .server extension, placing functions in a /server directory, etc. they all are still bundled into the client.
I don’t know any to just use “serverOnly” on functions but feel assured that a global const doesn’t leak.
Is there documentation on how a server function can bundle this?
My problem is that a silly dev will see something outside a server function scope and import that into a client and can expose things.
I really hoped for an extension, server folder, or both, that enforced this.
For now I’m using oRPC to have more safety but I’d rather skip the network hop.
2 Replies
fair-rose•2w ago
I don’t know any to just use “serverOnly” on functions but feel assured that a global const doesn’t leak.My workaround for global const is... It is a bit ugly but yeah...
harsh-harlequinOP•2w ago
Yup, and a new dev may onboard and code without this may slip through. Svelte went a more intuitive path and enforce server functions via file names and folders and id love to just have a /server/functions and /server/middleware where I can guarantee nothing leaks.