hidden .env variables in config #1632
Comments
|
Sorry, my mistake! Yeah, this has been something we been thinking of and could write to a .env file that would be inivisble |
|
Hey @tgrrr , thanks for the feature request! As sandboxes run in the browser, there's really no way to have secrets inside a sandbox, because if the users' browser has access to them (and it of course needs access during execution), users will also have access to them. "Hiding" or obfuscating them somehow won't work, as security by obscurity is never a good idea. That doesn't mean it's not possible, but you'll have to use a server sandbox, a feature which, incidentally, just went out of beta today! There's no docs for that yet (improving docs is one of our priorities for the near future), but they're quite intuitive to use, and you can see how they work in this tweet. If you're interested in more details about containers and / or secrets, you can also reach us on Spectrum. |
|
I see that server sandboxes have the ability to contain secrets, but what about using secrets in something like the |
|
As @lbogdan wrote before:
If there will be such a feature in the browser sandboxes, it will be visible to everybody. That's why it is not implemented. |
🌈 Feature
Allow private
.env(or other) variables to be added in the configuration sectionIt's a popular request, see:
#1373
#1629
#1119
Add UPPERCASE_VARIABLES in the configuration section
Variables are globally accessible in the sandbox as UPPERCASE_VARIABLES
This would allow us to demo things like a google map api, without exposing our keys to the world.
create react app, dotenv, etc are all fine.
Here's an example that I couldn't finish without exposing my keys to the world:
https://codesandbox.io/s/z3vrzpz7m
The text was updated successfully, but these errors were encountered: