Is getServerSideProps generated json output considered as safe?

[johannessteu]

When routing in client side next.js will trigger an internal api to generate a .json file with getServerSideProps. Is this json considered as safe? For instance the consider the with-apollo example (https://github.com/vercel/next.js/tree/canary/examples/with-apollo). A route change in the client to the main page will generate a json like this:

{"pageProps":{"initialApolloState":{"Post:30502c87-9c25-466f-95b1-50e5643d25dc":{"id":"30502c87-9c25-466f-95b1-50e5643d25dc","__typename":"Post","title":"Twitter","votes":1,"url":"http://www.twitter.com","createdAt":"2020-09-14T13:46:58.873Z"},"Post:ea32d5b2-9022-468a-bacb-fa1e6f3d2ac1":{"id":"ea32d5b2-9022-468a-bacb-fa1e6f3d2ac1","__typename":"Post","title":"Nextjs","votes":45,"url":"https://nextjs.org/","createdAt":"2020-09-14T11:55:19.517Z"}

So this file is kind of public. The example would expose whatever the server side requests. On a page that is only accessible for authenticated user it could expose user-data wich is then cached somehow. So you could warm up the apollo cache as well as the user data on the server side:

• fetch cookie from req
• get userdata form private api
• return props including user-data and apollo cache

But those values are then public. So is this json considered as safe? Or would you always re-create the cache on the client and reload user data? Is it possible to configure the lifetime from those json files?

[Timer]

Anything returned by getServerSideProps is always public. The apollo cache should always be cleared between requests—better yet, a new apollo client instance for every incoming request.

[johannessteu]

And is there a good way to somehow warm up caches server side?