hide .env variable values in spa apps from end users

Question

Can a user who is using my vuejs app, see the values of .env variables or are they somehow hidden?

I want to keep an app-id that is part of a websocket URL private. It is probably not a problem for users to see it, but I would rather they didn't

I could connect to the WS service via node on a backend server and pipe the data to the end user, but since I am working with real-time trading data, that would double the latency to the end user.

Answer 1

In short words: No.

If you need to pass data to the client you cannot hide, you could try to hide or mask, but if the code is in the client, the code is available. Moreover, if you use it on a websocket it will be very easy to get with de Chrome Dev Tools (or any web browser dev tools):

The idea that you propose to the back-end seems to be best to hide your app-id, to reduce the latency make your middleware in the middle of the clients and the other server, I mean, if you need the data from Canada and most of the users are in México i will try to put the middleware on Canadá, EEUU or México.

In general, I will avoid the middleware proposal excepts these cases:

• Your SPA limits the websocket use, i.e. you will use the websocket to get info about the Bitcoin exchange, but the websocket could use to buy or sell
• If use of the original websocket cost money for you, if you have to pay for the use of the WS maybe someone take your app id to use free while you pay it (to fix this, you need a middleware and make your middleware usable only by your app)
• If the data that you consume is private and you are in a public platform (I mean, if you are a in a private network like your office o VPN the security is not so important that make a web public)

Hope it helps :) If you need more, please share more info about the project.

Image's source