DEV Community

Cover image for My First Foray into the World of Frontend Secrets: The Truth About Environment Variables
Ahmad Yones
Ahmad Yones

Posted on

My First Foray into the World of Frontend Secrets: The Truth About Environment Variables

Introduction:

Hello, Dev community! As a frontend enthusiast diving into the complexities of web development, I recently encountered a revelation that reshaped my understanding of the security aspect. It all started with a simple question: Are environment variables in frontend really secure and not accessible?

A Journey of Discovery:

Initially, like many, I believed that .env files were a safe haven for sensitive data like API keys. It was only after delving deeper that I uncovered a surprising truth.

The Reality of Exposed Variables in Frameworks Like React

In frameworks such as React.js, environment variables are not the secret keepers we assume them to be. They get bundled into the production build, laying bare for anyone who dares to peek into the browser's source code.

How Environment Variables Work in React.js

  • Environment variables are embedded into the build during the build time.
  • They must be prefixed with REACT_APP_ to be recognized and included in the build.

Example:

Here’s what I used to do, blissfully unaware of the exposure risk:

const apiKey = process.env.REACT_APP_API_KEY;
fetch(`https://api.example.com/data?api_key=${apiKey}`);
Enter fullscreen mode Exit fullscreen mode

Seems secure, right? But, in reality, apiKey is as exposed as a message in a bottle thrown into the sea of the internet.

The Next.js Revelation - A Game Changer in SSR and CSR

My research led me to Next.js, where things get interesting with its distinct handling of server-side and client-side variables. A simple prefix NEXT_PUBLIC_ decides what’s for the world to see and what’s not. Notably, if you attempt to use a server-side variable (like SECRET_KEY) on the client-side, you'll find it returns undefined – a safeguard ensuring server-side secrets stay secret.

How Environment Variables Work in Next.js

  • Next.js differentiates between server-side and client-side environment variables.
  • Server-side variables are kept secret and are not exposed to the browser.
  • Client-side variables must be prefixed with NEXT_PUBLIC_ and are embedded into the JavaScript sent to the browser.

Example:

// Server-side: safe and sound
const serverKey = process.env.SECRET_KEY;

// Client-side: for the public eye
const clientKey = process.env.NEXT_PUBLIC_PUBLIC_KEY;

console.log(serverKey); // Safe on the server
console.log(clientKey); // Visible on the client, if logged
Enter fullscreen mode Exit fullscreen mode

In the client-side code, serverKey would be undefined, safeguarding your server-side secrets.

Alternatives I Explored

  1. Server-Side Configuration:
    The server became my trusted keeper of secrets. Through APIs, the frontend could interact without ever exposing sensitive keys.

  2. The Proxy Server Strategy:
    Acting as a middleman, a proxy server became my go-to for handling requests with third-party services, keeping my keys away from prying eyes.

  3. CI/CD for the Win:
    Injecting configuration in the CI/CD pipeline meant keeping secrets out of the code repository, a much-needed security boost.

Conclusion

Navigating the use of environment variables in frontend development has been a crucial learning curve. While they're useful tools, their security implications are important to consider. I'm curious about your experiences and strategies in managing environment variables securely. Feel free to share your insights in the comments!

Top comments (0)