Environment's variables shown in production build

Question

So long story short, for some reason i "downloaded" my app (ctrl + s or just right click + save as) and i found out that my environment variables are not hidden, they're in a file called main.xxxx.js (where xxx is the build hash)

i found out i have a secret key there for a service, which is used to get data from an external api (this data is very fast). How can i handle this issue? i've thought on placing that secret on the backend and returning it on demand, but it doesnt make any sense since it will be seen in the API request too, hope this all makes sense.

Thanks!

score 0 · Answer 1 · answered Jul 05 '22 at 13:16

0

My suggestion is to use the backend as a proxy to the service that requires the secret. You most likely shouldn't have any secrets in the frontend code as that is "public".

So instead of having the frontend make the request to the service, have the backend do it and return the result from the backend.

answered Jul 05 '22 at 13:16

Jokru

69
12

thank you for your response. Since the data is like an observable, ill use SSE Events. – gaspar aufranc Jul 05 '22 at 13:42
What about the firebase config? that is visible too, is there any harm? – gaspar aufranc Jul 05 '22 at 13:43
@gasparaufranc I don't have personal experience with firebase, but based on [this answer](https://stackoverflow.com/a/37484053/5356045), it seems okay – Jokru Jul 06 '22 at 14:36

Environment's variables shown in production build

1 Answers1