So I was working on project with someone else. I was just using .env file to store secrets but then he told me that it's not the secure way to store secrets. So after digging around the internet I found AWS KMS and used to to encrypt the secret but now I'm in the same situation since I ended up with apiKeyId and apiSecretAccessKey. Now how to I store those even if I encrypt these keys two but then I will again end with some encryption key and so on.
So can anyone help me understand how to go around about it.
And Also If some attacker breached my server what could be some step which could be taken to prevent or at least minimize that
Top comments (1)
Yeah, so - (plainly speaking) the issue your friend/colleague was referring to is the fact that everything on the client-side, typically using webpack, gets compiled into a bundle (even the .env values). And the vulnerability is the fact it's possible for someone inspecting the code to read those values.
Generally, it is recommended to store this sort of information on the server or e.g. AWS Lambda if you're going serverless.
I've seen people also refering to tokenization as a solution to this problem as well (access tokens with limited lifetime)
Hope this helps !