Angular-cli: Are environment files a safe place for secrets?

Created on 24 Jan 2017 · 2Comments · Source: angular/angular-cli

I can't seem to verify this anywhere. Is it safe to put secrets like passwords and other sensitive information in the environment.*.ts files? I would not be checking them into source control, so I'm just wondering about the security after build/deploy.

Source

andyrue

Most helpful comment

That's a big question. My answer is no.

Anything that you put in the environment file that your build uses will be sent to the client. Any Single Page Application runs in an uncontrolled environment, the users browser.

Despite your best efforts, all parts of the code and all information that your app processes is, at any time, available to whoever opens the browser console. So you can't ever rely on client-side security for sensitive information.

What you can do is have a well configured API that will not give more information than necessary, and where you use your sensitive info to process requests. You will also need to follow proper Authorization and Authentication practices on that API. This is the environment that is truly under your control.

filipesilva on 24 Jan 2017

👍3

All 2 comments

That's a big question. My answer is no.

Anything that you put in the environment file that your build uses will be sent to the client. Any Single Page Application runs in an uncontrolled environment, the users browser.

filipesilva on 24 Jan 2017

👍3

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{_This action has been performed automatically by a bot._}