Please drop me a line in the comments if you're interested in more video tutorials like this one!
Want to get better at Web Development?
πππsubscribe to the Tutorial Tuesday βοΈnewsletter
Please drop me a line in the comments if you're interested in more video tutorials like this one!
Want to get better at Web Development?
πππsubscribe to the Tutorial Tuesday βοΈnewsletter
For further actions, you may consider blocking this person and/or reporting abuse
Jagroop Singh -
Prakhar Khandelwal -
Tomas Stveracek -
Harshal Shah -
Top comments (5)
You know dotenv is the most common secrets management tool, but it's not exactly best practice tbh.
A better strategy is to read in secrets from a yaml or json file which gets added to the system at build-time with a ci pipeline.
Ideally you would be able to select the file to load via cli flags when starting your app. Basing all your config off of the current environment is problematic for many reasons. It makes things able to work on staging but not on prod, and makes your config all or nothing. What if you want to run with some services on and some off?
Dotenv is ok for small apps but anything bigger will need a better solution.
Hello, Ryan. Can you tell more about "read in secrets from a yaml or json file which gets added to the system at build-time with a ci pipeline"? It's there a tool to do that or some articles on how to do that? I'm pretty new to nodejs and would appreciate your help.
Ok here it is! dev.to/genster/config-like-a-pro-4j3i
I'll write up a second post to get into the details of how we manage secrets in the pipeline. This first post is about loading and accessing values in the app itself. Hope it's helpful!
Hi Raymond! Ya totally. You know I think I'll write it up into a longer form article. Been wanting to do that for a while anyways :) I'll ping you when I get it published.
Keep in mind that React apps are entirely run on the client-side, so even with env variables, the key will essentially be embedded into the code when compiled, and users will be able to view the key if they start digging around in the browsers dev tools. So this is a good way to keep the key out of a git repository, but this method doesn't keep it secret in a production environment