DEV Community


Discussion on: Firebase Functions: React users need to stop storing sensitive API keys in .env files!

tracker1 profile image
Michael J. Ryan

I can understand that... I actually do use .env files, but the front end only uses them for the build/dev server to inject the 3 values... for the most part, I only use them for dev, and in the .gitignore so they don't get added. I then inject the necessary environment variables into the CI/CD for build and/or deploy environments. My front end usually has a limited number of them.

And you are right, it's too easy to accidentally inject unexpected values into a build. If you stick to just what you intend to inject such as with process.env.VARNAME in the webpack config, or in a separately loaded JS file that gets injected into the client.