DEV Community

Play Button Pause Button
Benjamin Mock
Benjamin Mock

Posted on

🀫How to handle πŸ—οΈ secrets πŸ—οΈ in Node.js (Video Tutorial)

Please drop me a line in the comments if you're interested in more video tutorials like this one!


Want to get better at Web Development?
πŸš€πŸš€πŸš€subscribe to the Tutorial Tuesday βœ‰οΈnewsletter

Top comments (5)

Collapse
 
genster profile image
Ryan Cole

You know dotenv is the most common secrets management tool, but it's not exactly best practice tbh.

A better strategy is to read in secrets from a yaml or json file which gets added to the system at build-time with a ci pipeline.

Ideally you would be able to select the file to load via cli flags when starting your app. Basing all your config off of the current environment is problematic for many reasons. It makes things able to work on staging but not on prod, and makes your config all or nothing. What if you want to run with some services on and some off?

Dotenv is ok for small apps but anything bigger will need a better solution.

Collapse
 
we10710aa profile image
Raymond Chang

Hello, Ryan. Can you tell more about "read in secrets from a yaml or json file which gets added to the system at build-time with a ci pipeline"? It's there a tool to do that or some articles on how to do that? I'm pretty new to nodejs and would appreciate your help.

Collapse
 
genster profile image
Ryan Cole

Ok here it is! dev.to/genster/config-like-a-pro-4j3i

I'll write up a second post to get into the details of how we manage secrets in the pipeline. This first post is about loading and accessing values in the app itself. Hope it's helpful!

Collapse
 
genster profile image
Ryan Cole

Hi Raymond! Ya totally. You know I think I'll write it up into a longer form article. Been wanting to do that for a while anyways :) I'll ping you when I get it published.

Collapse
 
hhaslam11 profile image
Kaleb Haslam 🌐

Keep in mind that React apps are entirely run on the client-side, so even with env variables, the key will essentially be embedded into the code when compiled, and users will be able to view the key if they start digging around in the browsers dev tools. So this is a good way to keep the key out of a git repository, but this method doesn't keep it secret in a production environment