Documentation clarification on safety of secrets in .env file

[lpsinger]

What is the new or updated feature that you are suggesting?

The Jokes App example in the documentation advises putting the session secret in the .env file. However, the create-react-app documentation warns:

WARNING: Do not store any secrets (such as private API keys) in your React app!

Environment variables are embedded into the build, meaning anyone can view them by inspecting your app's files.

Suggest clarifying this point in the Remix documentation: is it safe to put secrets for a Remix app in the .env file? And if so, explain why it is safe for Remix but not create-react-app.

Why should this feature be included?

Jokes app example in documentation

[sairajchouhan]

I guess this solves your issue https://remix.run/docs/en/v1/guides/envvars#environment-variables

[lpsinger]

No, it does not. It does not state that process.env will not get bundled into the files that the browser sees.

[girishk21]

@lpsinger they have specified here https://remix.run/docs/en/v1/guides/envvars#browser-environment-variables

[sairajchouhan]

If you're experience with web development is primarily with the JS frameworks in the last few years, you might think of these as something for your build to use. While they can be useful for bundling code, traditionally those are "build arguments" not environment variables. Environment variables are most useful at runtime on the server

[lpsinger]

I see, thanks! I'm fairly new to React (and modern JavaScript, for that matter). If this is common knowledge and I should have known better, please feel free to close this issue!

[sairajchouhan]

It's okay @lpsinger, we were all there at some point. BTW if you don't have any concerns with the issue, you can close it (cause I am not a maintainer of Remix 😅).