1

I was trying to find the best way of utilising a config file in my projects, i.e. for reading in usernames, tokens, passwords etc.

I began by just using a config.json and then parsing that in another file to access the parameters. Then I came across this answer using a config.js instead. But this got me thinking about the way environment variables can be accessed.

What is to stop some node package I download from grabbing my process.env

config.twitter.password =  process.env.TWITTER_PASSWORD

and then firing off a HTTP request with it to some external database, thereby leaking any passwords/tokens I might have stored as environment variables?

I have a feeling I'm being both naive and also missing something important, so I'd appreciate some instruction. Thanks.

Community
  • 1
  • 1
Philip O'Brien
  • 4,146
  • 10
  • 46
  • 96
  • I mean, they could also do things such as deleting files or installing/executing other rogue code, so i'd think environment variables are the least of your worries. This is just another reason why you should only include code into your project that you trust. – Kevin B Feb 10 '15 at 19:28
  • What stops the module you included from loading your config.json? – Kevin B Feb 10 '15 at 20:11

0 Answers0