fresh icon indicating copy to clipboard operation
fresh copied to clipboard

Published 20 hours ago verified publisher icon denoland

ENV variables in client

Open jsb188 opened this issue 9 months ago • 5 comments

So, by now I understood that .env files can only be read on the front-end server because Deno is not available on the client side...

So, now how am I suppose to create secrets for my app or have environment variables or detect if it's in development or production mode on the client side?

I looked everywhere in the docs but couldn't find an answer.

Any help would be appreciated.

jsb188 avatar May 16 '24 04:05 jsb188

IIRC, @marvinhagemeister has argumented against supporting a way to access env variables from the browser/client before, due primarily to security concerns. Currently, you would need to e.g. proxy requests via a server route/endpoint which injects these. Other full-stack frameworks do support exposing certain env variables to the client, and I think they are indeed valid use cases for this, but don't think it's in scope for Fresh 2.0.

miguelrk avatar May 16 '24 12:05 miguelrk

gotcha. since client side is never secure anyways, I think this is fine.

jsb188 avatar May 16 '24 13:05 jsb188

one more question. how do I jumble/minify my development app/production deployment so the code and CSS cannot be human-read easily?

jsb188 avatar May 16 '24 13:05 jsb188

JS code is automatically minifed in Fresh. Note that obfuscation is never an adequate security measure. If you are worried about leaking sensitive code, you should never sent it to the browser in the first place.

marvinhagemeister avatar May 16 '24 15:05 marvinhagemeister

Not worried about leaking sensitive code. I'm more worried about people using front-end scripting to hack the web socket. I'm making a new app and it happened before in my other app.

jsb188 avatar May 16 '24 15:05 jsb188