'Is using a JS object stored inside a global variable instead of a .env file secure?
A couple days ago I was trying to implement environments in my Expo-managed React Native application. I tried using react-native-dotenv module, but I soon encountered a problem regarding the change of the environment variables (the only way for me to change something was editing each and every file where process.env was called).
After some time I gave up and started to implement something that would work similarly:
- My
.envfile is now anenv.ts - The environment variables are now object properties
export const env = {
ENDPOINT: 'http://url.com',
}
- To use my environment I import it in my application entry point and set it as a global variable
import { env } from './env'
...
global.env = env;
- I now use global.env instead of process.env
console.log(global.env.ENDPOINT)
Since this is a JS application the code gets sent to the user that requests the page and since my environment is now code I fear that this might have some security implications.
I'm obviously not sending down my google account's password, but if I need to add an api key it's going to be exposed to whomever has enough patience to look for it, isn't it?
If this do have security implications, how do the various dotenv modules handle this? If I need to show a google map I'll have to send the api key either way, won't I? Where would the difference be?
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|