Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[docs]: Clarify env variables are NOT "SECRET"

See original GitHub issue

The usage of REACT_APP_SECRET_CODE in Adding Custom Environment Variables is misleading given that there are no secrets in the front end.

Should I open a PR that changes all to REACT_APP_NOT_SECRET_CODE?

Also, should there be a warning box toward the top about being careful not to expose secrets?

Issue Analytics

State:
Created 5 years ago
Reactions:2
Comments:10 (6 by maintainers)

Top GitHub Comments

5reactions

JBallincommented, Dec 2, 2018

@miraage I don’t believe this makes it clear that secrets will be exposed. It requires some deduction and reading. Here’s an example warning message:

Don’t store any secrets (such as API keys) in your React app as they’ll be included in the build (meaning they can be read by anyone looking at your script/html files in dev tools). Instead, you should send requests to a separate backend (which stores your secrets) and send back the response to your React app.

I think this is an important distinction that should be immediately obvious when looking at the docs, especially for beginners. Unfortunately some misinformation is being spread online, so I think it’s safe to assume that people are not finding this clear.

What’s the downside of adding NOT?

2reactions

ianschmitzcommented, Dec 2, 2018

Sounds reasonable. Let’s get a PR going and we can get some feedback from the others in there. Thanks!