search

denoland / fresh

The next-gen web framework.
https://fresh.deno.dev
MIT License
12.14k stars 616 forks source link

ENV variables in client #2427

Open saeho opened 3 months ago

saeho commented 3 months ago

So, by now I understood that .env files can only be read on the front-end server because Deno is not available on the client side...

So, now how am I suppose to create secrets for my app or have environment variables or detect if it's in development or production mode on the client side?

I looked everywhere in the docs but couldn't find an answer.

Any help would be appreciated.

miguelrk commented 3 months ago

IIRC, @marvinhagemeister has argumented against supporting a way to access env variables from the browser/client before, due primarily to security concerns. Currently, you would need to e.g. proxy requests via a server route/endpoint which injects these. Other full-stack frameworks do support exposing certain env variables to the client, and I think they are indeed valid use cases for this, but don't think it's in scope for Fresh 2.0.

saeho commented 3 months ago

gotcha. since client side is never secure anyways, I think this is fine.

saeho commented 3 months ago

one more question. how do I jumble/minify my development app/production deployment so the code and CSS cannot be human-read easily?

marvinhagemeister commented 3 months ago

JS code is automatically minifed in Fresh. Note that obfuscation is never an adequate security measure. If you are worried about leaking sensitive code, you should never sent it to the browser in the first place.

saeho commented 3 months ago

Not worried about leaking sensitive code. I'm more worried about people using front-end scripting to hack the web socket. I'm making a new app and it happened before in my other app.