React-starter-kit: Is it a security concern that the user can see the code that assigns the JWT secret on the client side?
Great library thank you for all the hard work!
I just noticed that the end user is able to see the contents of config.js on the client side. Is it a concern that the user can see this line? https://github.com/kriasoft/react-starter-kit/blob/4bc6f834534c254daf0a6f12785ea45f3e6c44bb/src/config.js#L28
I know the ENV values are false but if the user does not set a JWT secret that way then the default secret is exposed. Is this a concern at all? Is it obvious enough that it could be a security hole?
cbravo
All 3 comments
config.js is only supposed to be used from the server-side code. It might be a good idea to put if (!process.env.BROWSER) throw new Error('...'); in it. And if you need to pass some data from the config to the client, you would just put that into Redux state, e.g. createStore({ googleAnalyticsID: config.googleAnalyticsID }) in server.js.
koistya
on 4 Apr 2017
@cbravo Config is really too generic of a file name, begs for all sorts of things to be included that should not be. Should likely be separated into a secrets file (rails has good docs/best practices around this) and a serverConfig.js file to prevent mistakes. Secrets file should also be excluded from version control, be nice if the file was appended to .gitignore on first run (Facebooks create-react-app does some logic on first run only, could be an example to look at).
Hmm.. confused how using process.env.BROWSER would prevent it from being bundled and sent down to the client.
buildbreakdo
on 27 Apr 2017
Hmm.. confused how using process.env.BROWSER would prevent it from being bundled and sent down to the client.
@buildbreakdo if (!process.env.BROWSER) throw new Error('...'); will effectively prevent you from including server config in client bundle by mistake.
You can add conditional alert() too, so you will be flashed to eyes after you run the app
Client side config is nonsense — it must be derived from server environment and passed into client via global window.App object for example.
langpavel
on 24 May 2017
Related issues
sap9433
·
4Comments
blz-ea
·
3Comments
koistya
·
4Comments
wyattbiker
·
3Comments
satyavrat
·
3Comments
Most helpful comment
config.jsis only supposed to be used from the server-side code. It might be a good idea to putif (!process.env.BROWSER) throw new Error('...');in it. And if you need to pass some data from the config to the client, you would just put that into Redux state, e.g.createStore({ googleAnalyticsID: config.googleAnalyticsID })inserver.js.