Reputation: 35
Netlify/Create React App secret api keys exposed in build
Building create-react-app (v2) on Netlify hosting and need to deal with secret keys for payment processing and content pulls from CMS (Contentful).
CRA is exposing secret keys in the build output using 'process.env.REACT_APP" and CRA over writes the space and doesn't allow these keys to be hosted in the variable space and access at build time securely.
Is there best practice on the right type of approach to keep the keys secure?
Upvotes: 1
Views: 768
Answers (1)
Reputation: 3870
You have two different cases here. Speaking about Contentful you're probably using the CDA. This API is read-only and has its own tokens. There is no harm by exposing it to the public and your react application with REACT_APP_.
A payment provider is a different story though. For this I'd recommend to using Netlify functions to not expose the token. This way your react application can use the function endpoint and your token stays safe. :)
Upvotes: 1
Related Questions
- How do I hide an API key in Create React App?
- How to hide an API key when deploying a website to Netlify
- Deploy React App using Auth0 Authentication to netlify
- React App .env content keeps leaking in build
- Hiding the API key in React
- how to hide secret key in react javascript file in build production
- How to hide API keys and secrets in React JS app deployed on Docker
- Run Netlify variable api key on build, hiding key from the github repo
- How do I maintain hidden API keys with Create React App when creating an object with them
- API keys exposed as 'strings' in my public git respositories