I am currently working on a PWA store, which has a nodeJS SSR (server side rendering) and using React.
So I am using dotenv and created a .env file inside the project, which is injected into nodejs server.
Then, I have configured the webpack to also inject those variables into frontend bundle.
My questions:
- How safe is using .env file with a nodeJS and in the context of a server side rendering app? Can the file be accessed somehow?
- How safe is injecting those variables in frontend? I am currently doing that by modifying the plugins like this:
new _webpack.default.DefinePlugin({
'process.env': JSON.stringify(process.env)})
CodePudding user response:
env files are primarily created for the purpose of executing a source code in different environments (like home computer vs office computer, where some properties like database credentials will differ).
Other than that, it is inherently also used to store sensitive information separate from source code, so that if you let a developer friend of yours to work on your project's source code, they should not know the location of your database in your system, and will have to create their own env file with their own values for the same keys required by your source code, depending on their system.
Now, for a backend project, the source code is not supposed to be shared with the world, and therefore using env file at backend will be as safe as your source code is, i.e., only those with direct access to the backend machine running your project will be able to access the env file for that particular environment.
For a frontend project, the source code is considered to be shared with the world (like a webpage where the user receives the full html/css/js content). Using env file at frontend should only be considered while working on the project, as it is obvious that the source code will be presented to every user, and so will be the values from the env used while preparing the frontend. The purpose of env at frontend shrinks down to only support different publish environments (like beta release, production release, will have different envs for differentiation in the published frontend app, but nothing will remain private). Therefore, env file of a frontend oriented project should not contain anything sensitive.
If you use a variable value from your env file in the rendering part of your source code, it will be rendered, as simple as that.
CodePudding user response:
How safe is using .env file with a nodeJS and in the context of a server side rendering app? Can the file be accessed somehow?
No it can't be accessed, unless you are intentionally hosting it on a web server.
How safe is injecting those variables in frontend? I am currently doing that by modifying the plugins like this:
"Safe" is the wrong word here. The javascript bundle is probably minified and obfuscated, but values from process.env are visible to your users, since you're sending this file to their browsers. So you have to decide wether it contains sensitive information or not. You probably don't want to have the entire process.env in the bundle, just the key/value pairs that are relevant for your app.