Using a `.env` file is a common practice for storing configuration variables, including API tokens, especially in development environments. However, it's important to consider the security implications, particularly in production or shared environments.
If the application is intended for use in a secure, controlled environment where the .env file is not exposed to unauthorized users, it might be sufficient. However, if there's any risk of the file being accessed by unauthorized users, or if the application is distributed to end-users, it would be safer to use a more secure method, such as Windows Credential Manager, to store sensitive information like API tokens.
Ultimately, the decision should be based on the specific security requirements and threat model of your application. If you decide to stick with the .env file, ensure that you have appropriate file permissions and educate users on securing their environment. If you need further guidance on implementing secure storage, feel free to ask!
If the application is intended for use in a secure, controlled environment where the
.envfile is not exposed to unauthorized users, it might be sufficient. However, if there's any risk of the file being accessed by unauthorized users, or if the application is distributed to end-users, it would be safer to use a more secure method, such as Windows Credential Manager, to store sensitive information like API tokens.Ultimately, the decision should be based on the specific security requirements and threat model of your application. If you decide to stick with the
.envfile, ensure that you have appropriate file permissions and educate users on securing their environment. If you need further guidance on implementing secure storage, feel free to ask!_Originally posted by @sourcery-ai[bot] in https://github.com/ClinicianFOCUS/clinicianfocus-installer/pull/4#discussion_r1797323306_