Worth mentioning that Node.js recently (20.6) introduced native support for .env files. So if your application supposed to run on new versions, you can drop dotenv dependency.
Outstanding explanation, nice way to explain the api key, kindly tell how can we use api url in pages\cstomer.js file? that will not show in the browser.
We agree but this really gets into a deep conversation about the architecture behind your application and what is infrastructure it is running on. Envrionment variables won't be exposed unless one or more applications are already compromised so while it is not the most secure way, it is a good starting point in understanding how to handle secrets.
@@GitGuardian that's fair though it's always good to know that there are downsides and potentially better approaches even if you're showing the most balanced approach in terms of trade-offs between effort to implement and deploy versus amount of improvement it gives 👍😊
@@richardnpaul_mob Good points, next videos on my planned list are using secrets managers and vaults for secrets. We appreciate you giving us feedback 👍
If your production environment is compromised, you are screwed. It doesn't really matter if env variables are visible, because malicious actor can simply directly read .env file (or whatever place you store secrets in) anyway.
Worth mentioning that Node.js recently (20.6) introduced native support for .env files. So if your application supposed to run on new versions, you can drop dotenv dependency.
there's some caveats - no multiline support, no override support, no expansion support, and no .env.vault support. We wrote about it on our blog.
Outstanding explanation, nice way to explain the api key, kindly tell how can we use api url in pages\cstomer.js file? that will not show in the browser.
Hello, could you please elaborate your question as it's not directly tied to what's in the video?
perfect video, thank you so much!
Bro. Actually I have seen a lot. This video matches exactly my expectation.
ps -e reveals those secrets so env vars are not the best idea either (better than hard coding but there are better ways yet than env vars)
We agree but this really gets into a deep conversation about the architecture behind your application and what is infrastructure it is running on. Envrionment variables won't be exposed unless one or more applications are already compromised so while it is not the most secure way, it is a good starting point in understanding how to handle secrets.
@@GitGuardian that's fair though it's always good to know that there are downsides and potentially better approaches even if you're showing the most balanced approach in terms of trade-offs between effort to implement and deploy versus amount of improvement it gives 👍😊
@@richardnpaul_mob Good points, next videos on my planned list are using secrets managers and vaults for secrets. We appreciate you giving us feedback 👍
@@GitGuardian I'd better subscribe then 😊
If your production environment is compromised, you are screwed. It doesn't really matter if env variables are visible, because malicious actor can simply directly read .env file (or whatever place you store secrets in) anyway.