Comments (7)
Hey!
Thank you, I'm glad you like it! :)
I would like to start with this:
You should never store sensitive information (private keys, etc..) in a front-end application. Those can be read and easily extracted. No matter if you use process.env or the window object. I wouldn't count API_URLs and stuff you mentioned sensitive. Most of this can be checked via the network tab too.
If you want to be ultra-secure, use your backend to send sensitive information back to your application after a successful login.
To clarify the usage or the existence of the package:
The process.env.REACT_APP_...
variables are read during the build process, not at serve time. That's why we thought it would be awesome to store these variables on the window object instead of process.env because this way, with a script, it can be easily modifiable after the build.
This package works because it modifies the variables on window.RUNTIME_CONFIG....
at start-time after the build process.
You can't achieve the same with process.env
because you will need to rebuild your whole application if you want to change an environment variable.
from runtime-env-cra.
No problem. I'm planning to upgrade everything in the package anyway during the next week.
So sure, I can create a flag that can disable logging of the parsed env variables.
from runtime-env-cra.
Hey!
Thank you, I'm glad you like it! :)
I would like to start with this:
You should never store sensitive information (private keys, etc..) in a front-end application. Those can be read and easily extracted. No matter if you use process.env or the window object. I wouldn't count API_URLs and stuff you mentioned sensitive. Most of this can be checked via the network tab too.
If you want to be ultra-secure, use your backend to send sensitive information back to your application after a successful login.
To clarify the usage or the existence of the package:
The
process.env.REACT_APP_...
variables are read during the build process, not at serve time. That's why we thought it would be awesome to store these variables on the window object instead of process.env because this way, with a script, it can be easily modifiable after the build.This package works because it modifies the variables on
window.RUNTIME_CONFIG....
at start-time after the build process.You can't achieve the same with
process.env
because you will need to rebuild your whole application if you want to change an environment variable.
Ok, considering all that to be truth, can't you please add an option to not to print the variables value in the console? Thanks.
from runtime-env-cra.
Ok, considering all that to be truth, can't you please add an option to not to print the variables value in the console? Thanks.
What do you mean by that? I cannot disable users running console.log commands in the developer console.
Please read the CRA docs if you do not believe me. Or any front-end security-related article out there.
WARNING: Do not store any secrets (such as private API keys) in your React app!
Environment variables are embedded into the build, meaning anyone can view them by inspecting your app's files.
from runtime-env-cra.
I meant, everytime the application starts, by default, there are print statements on the server console from the runtime-env-cra library, just like shown in the first message in this topic. So, it would be nice to not.to have that in the logs...
from runtime-env-cra.
Reduced console logs would be great. Let me know if you are happy to receive a pull request
from runtime-env-cra.
Just a short status update:
- I finished the changes and made many other improvements based on other pull requests
- The only remaining thing is to finish the tests and documentation, which hopefully I can finish shortly :)
from runtime-env-cra.
Related Issues (15)
- It causes an issue during the build time of production. HOT 4
- Uncaught SyntaxError: Unexpected token '<' HOT 1
- Extra spaces break variable search HOT 2
- Add documentation for usage in testing HOT 5
- Support comments in .env file HOT 2
- Unable to build a docker image if environment are not present
- Using CMD[...] breaks NGINX default entrypoint HOT 3
- using runtime-env-cra in React Hello World Application not working HOT 1
- "Property does not exist on type Window in TypeScript"
- Suggestion: Add ability to merge .env file values with process.env values HOT 1
- Does not generate the file runtime-env.js HOT 6
- Usage in Production HOT 7
- Not setting NODE_ENV to development deactivates --env-file flag HOT 3
- Usage on S3 or other static file server? HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from runtime-env-cra.