CODEWITHSUNDEEP
node.js
Stan Luo
Stan Luo

Reputation: 3889

Node server: is it safe to put security credentials in npm scripts?

Often credentials are required for NodeJs server, e.g. express session key. Since environment variables can be supplied in npm scripts, is it considered a good practice to put the credentials there?

For example(in package.json):

"scripts": {
    "start": "EXPRESS_SESSION_KEY=mysessionkey node server server/index.js",
}

So when I do npm start the credentials are also supplied.

P.S. Git repository is private so package.json is not likely to leak.

Upvotes: 0

Views: 195

Answers (1)

shaochuancs
shaochuancs

Reputation: 16246

No, it's not safe.

Even if git repository is private and package.json is not publicly available, this package.json file with sensitive information is available to all developers -- whoever has authority to access the git repository would be able to access the key, which is a big problem -- more people access the key, more risks.

To fix the security issue, my suggestion is using 2 keys, one for development & test, one for production. In package.json, development key is set, so that developers can easily clone code and launch the program:

"scripts": {
  "start": "DEV_KEY=devsessionkey node server server/index.js",
}

In the code where KEY is used, PROD_KEY (key for production) would be checked and used first. DEV_KEY is used only if there is no PROD_KEY:

var key = process.env.PROD_KEY ? process.env.PROD_KEY : process.env.DEV_KEY;

When DevOps engineer deploy the code, he/she will set environment variable PROD_KEY in operating system and then launch the program. By this way, only specific DevOps engineer know the production key, which makes it much safer.

Upvotes: 3

Related Questions