DEV Community 👩‍💻👨‍💻

Discussion on: Stop pushing your React API Key on GitHub 😪

Collapse
jancizmar profile image
Jan Cizmar

Hmm, I would also say, that it's not good idea to add any secret API key into your production build. So when your GITHUB_API_KEY (whatever it is) is in the .env while build it is present in the production build and readable. Maybe it's better to use .env.development.local and think twice which is public API key and which is not.

Collapse
shnydercom profile image
Jonathan Schneider

Yes, the example with the API key is exactly contrary to what the linked article has as an example: process.env.REACT_APP_NOT_SECRET_CODE
Having your secret API key in a build on a publicly available URL is a bigger security issue than having it on github. At least github notifies you by scanning repositories for things like that

Collapse
koichadev profile image
Khoi Hoang • Edited on

Wouldn't the end-point address be exposed anyways even if you use. env or not if you push it to production server?

Collapse
jancizmar profile image
Jan Cizmar

That's why you should use .env.development.local :) Those variables are not part of production build.