Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Runtime environment variables which may have secrets is exposed in developer consoler #23

Open
mkothapalli418 opened this issue Oct 5, 2022 · 7 comments
Open

Runtime environment variables which may have secrets is exposed in developer consoler #23

mkothapalli418 opened this issue Oct 5, 2022 · 7 comments

Comments

@mkothapalli418
Copy link

mkothapalli418 commented Oct 5, 2022
edited
Loading

Hello Team,

This Package perfectly works and so easy to integrate the runtime variable configuration, but I noticed that all the variables are exposed in developer consoler like below screenshot. Is there a better way to handle that part because it will be security threat to show some sensitive info in developer tools.
`
window.RUNTIME_CONFIG

{REACT_APP_SUPPORT_API: 'https://test.com', REACT_APP_EVENTS_API_ENDPOINT: '/api/Events', REACT_APP_EVENT_INSIGHTS_ENDPOINT: '/api/EventInsights', REACT_APP_EVENT_LOGS_ENDPOINT: '/api/Events/EventLogs', REACT_APP_RUM_EVENTS_ENDPOINT: '/api/Events/GetRUMEvents', …}
`
@kHRISl33t
Copy link
Owner

kHRISl33t commented Oct 5, 2022
edited
Loading

Hey!

Thank you, I'm glad you like it! :)

I would like to start with this:

You should never store sensitive information (private keys, etc..) in a front-end application. Those can be read and easily extracted. No matter if you use process.env or the window object. I wouldn't count API_URLs and stuff you mentioned sensitive. Most of this can be checked via the network tab too.

If you want to be ultra-secure, use your backend to send sensitive information back to your application after a successful login.

To clarify the usage or the existence of the package:

The process.env.REACT_APP_... variables are read during the build process, not at serve time. That's why we thought it would be awesome to store these variables on the window object instead of process.env because this way, with a script, it can be easily modifiable after the build.

This package works because it modifies the variables on window.RUNTIME_CONFIG.... at start-time after the build process.

You can't achieve the same with process.env because you will need to rebuild your whole application if you want to change an environment variable.

@gsantosoliver
Copy link

Hey!

Thank you, I'm glad you like it! :)

I would like to start with this:

You should never store sensitive information (private keys, etc..) in a front-end application. Those can be read and easily extracted. No matter if you use process.env or the window object. I wouldn't count API_URLs and stuff you mentioned sensitive. Most of this can be checked via the network tab too.

If you want to be ultra-secure, use your backend to send sensitive information back to your application after a successful login.

To clarify the usage or the existence of the package:

The process.env.REACT_APP_... variables are read during the build process, not at serve time. That's why we thought it would be awesome to store these variables on the window object instead of process.env because this way, with a script, it can be easily modifiable after the build.

This package works because it modifies the variables on window.RUNTIME_CONFIG.... at start-time after the build process.

You can't achieve the same with process.env because you will need to rebuild your whole application if you want to change an environment variable.

Ok, considering all that to be truth, can't you please add an option to not to print the variables value in the console? Thanks.

@kHRISl33t
Copy link
Owner

kHRISl33t commented Nov 9, 2022
edited
Loading

Ok, considering all that to be truth, can't you please add an option to not to print the variables value in the console? Thanks.

What do you mean by that? I cannot disable users running console.log commands in the developer console.

Please read the CRA docs if you do not believe me. Or any front-end security-related article out there.

WARNING: Do not store any secrets (such as private API keys) in your React app!
Environment variables are embedded into the build, meaning anyone can view them by inspecting your app's files.

@gsantosoliver
Copy link

I meant, everytime the application starts, by default, there are print statements on the server console from the runtime-env-cra library, just like shown in the first message in this topic. So, it would be nice to not.to have that in the logs...

@dmitrigrabov
Copy link

Reduced console logs would be great. Let me know if you are happy to receive a pull request

@kHRISl33t
Copy link
Owner

No problem. I'm planning to upgrade everything in the package anyway during the next week.
So sure, I can create a flag that can disable logging of the parsed env variables.

@kHRISl33t
Copy link
Owner

Just a short status update:

  • I finished the changes and made many other improvements based on other pull requests
  • The only remaining thing is to finish the tests and documentation, which hopefully I can finish shortly :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dmitrigrabov @kHRISl33t @gsantosoliver @mkothapalli418