Open benderunit opened 8 years ago
@benderunit Yes indeed. What do you suggest? Perhaps, having the secret key as environment variable?
Does it exhibit the same problem when running as prod?
No it does not @nym You can run it
SECRET="YOUR_SECRET_KEY" node server.js
with key set to your environment. This is how it is done to protect code from commiting sensitive information into repositories.
Is this http://hapi-reactstarterkit.rhcloud.com/ an example for running this starter kit in an production environment? If it is, I think it's leaking sensitive informations through the running webpack server. It serves informations like the iron secret through the config.js file.