search

hasanharman / form-builder

A dynamic form-building tool that allows users to create, customize, and validate forms seamlessly within web applications.
https://www.shadcn-form.com/
GNU Affero General Public License v3.0
1.34k stars 135 forks source link

Security Issues on Source Code #2

Closed asyncfinkd closed 1 month ago

asyncfinkd commented 1 month ago

Hi, while parsing the code I found that Google Analytics (GA) Ids are open even with Google Tag Manager ID (gtmId). It would be better if this is exported in a separate .env. As you have other environments.

ex: NEXT_PUBLIC_POSTHOG_KEY, NEXT_OPEN_PANEL_CLIENT_ID, etc.

It would be better if these Keys were not NEXT_PUBLIC, it violates the security part...

From ChatGPT when i'm asking why we won't use NEXT_PUBLIC for sensitive environment's

Variables prefixed with NEXT_PUBLIC are exposed to the client-side, making them accessible in the browser’s developer tools. This can be a security risk if you are handling sensitive data such as API keys, tokens, or database credentials. Any sensitive or private information should remain server-side and not be exposed to the client.

More on this topic: https://stackoverflow.com/a/70766460

hasanharman commented 1 month ago

Thank you for the great recommendations. I'd like to connect with you let's talk on twitter