environment variable values are appeared directly in production code #3574
Comments
Thesiva7
changed the title
|
This is part of the clientside bundle and therefore cannot be hidden from the client. React is responsible for this behavior. The client ID is ok to be seen in the public. You have to keep the SECRET_KEY secret. This is usually used on the server side. In this case inside the "main.js" process it will be hidden. |
Hi @sanneh2 , Please look below images of production main.js, i have marked encryptedkey field which have value from .env file
|
|
This is a security question. The best and most reliable thing is authentication and servers. So for example, if your users are logging in to your app, you could share secrets over a secure connection, Unpackaging will always expose the entire code to the hacker. You can obfuscate it, encrypt it, or compile it with v8 bytecode which I heard works great. But security with an external server will always be the safest bet, because you can move the secrets and confidential information to a remote location outside of your app. |
|
Hey @Thesiva7 What @sanneh2 said on security is correct, you shouldn't keep secrets on the client. electron-store also advises that I'm not sure what your what your app's codebase looks like, but maybe Google's OAuth javascript |
Hi,
I am using below code to load the environmental variables in production
new Dotenv({
path: path.join(webpackPaths.rootPath, '.env'),
safe: false,
silent: false,
defaults: false,
})
but in production files that environmental values are appearing directly. like below image :
but in development it is like below image :
how to hide environmental values in production code.
@amilajack @jooohhn
The text was updated successfully, but these errors were encountered: