stackoom
  简体   繁体   中英

How to use environment variables secrets safely in production

 原文  2018-05-29 18:16:49       node.js/ reactjs/ pm2

Question

I would like to use environment variables to securely hold secrets with pm2.

I have a reverse proxy to an express backed server that uses a database with a password each time it connects to preform a query.

I would like to access it normally from the program:

procsess.env.my_secret

but I'm assuming that simply setting the variable at run time like the following isn't safe:

MY_SECRET="secret password" pm2/node my_api_server.js

How should I set the secret password considering I'm using pm2 and I would like the variable to persist through restarts/crashes?

I should note that different environment handling and passing code to other developers through the VCN is less important to me.

2 answers

solution1
 0  2018-05-29 18:31:29

In past ReactJS projects with Express backends that need to connect to a database, I've used the dotenv package on NPM. Once added as a dependency to your project, you will create a hidden .env file in the root of your server filestructure.

In that .env file, you can create environment variables. These variables will need to be prefixed with REACT_APP like the following:

REACT_APP_DBURI=<conn string here>
REACT_APP_MAILGUN_API_KEY=<key string here>
REACT_APP_CAPTCHA_SECRET_KEY=<key string here>

You need to require the package as follows in your code:

require('dotenv').config();

You can reference them in your server.js (or whatever) code as:

process.env.REACT_APP_VARIABLE_NAME

This Medium article has a full explanation.

Hope this helps!

solution2
 0  2019-11-05 00:41:37

Storing API keys or credentials using .env gets exposed to the client on Production!
By React docs -

WARNING: Do not store any secrets (such as private API keys) in your React app! Environment variables are embedded into the build, meaning anyone can view them by inspecting your app's files.

It's advised to store all env keys directly on the server and the server should be used as a mid point between the client and the API. This way the key is applied directly on the server and is not exposed in the front end. You can check out respective documentation on how to set up env variables on your particular server.

Front End Code

fetchData = () => { 
    fetch('/users', { method: 'POST', body: JSON.stringify(data) }
   .then(res => res.json())
    }

Server Code

app.post('/users', (req, res) => {
    const API_KEY = process.env.API_KEY;
    connection.query(`/apiPath/${API_KEY}`)
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Access secrets as environment variables in Kubernetes Why and how to put secrets in environment variables in Node.js? How to conditionally use a development or production environment variable How to pass multiple environment variables as secrets using Google Cloud Build with KMS in cloudbuild.yaml? ReactJS development environment works with my API when I use environment variables but my production server can't? How to use encrypted environment variables in AWS Lambda? How to use Node Environment Variables inside Gulp? How to use nestjs environment variables in separate class How to use environment variables for Git and cloud deployment How to use environment variables in the Cmd arguments of dockerode?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM