-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Runtime environment variables which may have secrets is exposed in developer consoler #23
Comments
Hey! Thank you, I'm glad you like it! :) I would like to start with this: You should never store sensitive information (private keys, etc..) in a front-end application. Those can be read and easily extracted. No matter if you use process.env or the window object. I wouldn't count API_URLs and stuff you mentioned sensitive. Most of this can be checked via the network tab too. If you want to be ultra-secure, use your backend to send sensitive information back to your application after a successful login. To clarify the usage or the existence of the package: The This package works because it modifies the variables on You can't achieve the same with |
Ok, considering all that to be truth, can't you please add an option to not to print the variables value in the console? Thanks. |
What do you mean by that? I cannot disable users running console.log commands in the developer console. Please read the CRA docs if you do not believe me. Or any front-end security-related article out there.
|
I meant, everytime the application starts, by default, there are print statements on the server console from the runtime-env-cra library, just like shown in the first message in this topic. So, it would be nice to not.to have that in the logs... |
Reduced console logs would be great. Let me know if you are happy to receive a pull request |
No problem. I'm planning to upgrade everything in the package anyway during the next week. |
Just a short status update:
|
Hello Team,
This Package perfectly works and so easy to integrate the runtime variable configuration, but I noticed that all the variables are exposed in developer consoler like below screenshot. Is there a better way to handle that part because it will be security threat to show some sensitive info in developer tools.
`
window.RUNTIME_CONFIG
{REACT_APP_SUPPORT_API: 'https://test.com', REACT_APP_EVENTS_API_ENDPOINT: '/api/Events', REACT_APP_EVENT_INSIGHTS_ENDPOINT: '/api/EventInsights', REACT_APP_EVENT_LOGS_ENDPOINT: '/api/Events/EventLogs', REACT_APP_RUM_EVENTS_ENDPOINT: '/api/Events/GetRUMEvents', …}
`
The text was updated successfully, but these errors were encountered: