I want to clear this issue. I'm new to react js. but I need to store some sensitive data in frontend. just like database name, database password, and database username. I have used universal-cookie and local storage also. but it seems like not secure. because anyone can edit that data if they inspect the page and open the cookie tab. I just want to know if there is a way to make these cookies uneditable or suggest to me if there is a better way to keep this data in frontend?
Thanks in advance
Normally sensitive data are not saving on frontend.
best way is you can call this from server using http request.
Or you can use local storage,cookies,session storage etc.
env setup is another way.
Or you can use thirdparty storge for this, many free & trusted resources are available
Ideally you do not want to, you should always send it encrypted from your BE> But if you must you can create a .env.local file at the root of your react project and put all your variables there. The variable names should start REACT_APP. there should be NO space/quotations around your values in this file
REACT_APP_DB_PASS=your_pass
REACT_APP_DB_ID=your_id
and then you can access them from the process.env object like this
process.env.REACT_APP_DB_PASS
Related
I am building a react application with firebase integration and the environment variables we are using can be inspected out by taking the page source of the page in a deployed website.
I am interested in knowing some ways to make it safer. the only way I can think is of take values from an API so that its not shown with the code at any point.
To connect to firebase I can use the reserved url method to automatically connect.Firebase remote config allows you to store key value pairs. I was thinking of moving all my env variables out to remove config setup and use it from there. So I can remove my .env file altogether and avoid exposing any hardcoded values.
Have anyone tried this already? what could be the recommended way to make .env values safer?
You should never load any values that you don't want users to be able to access into the browser, period. The browser is an open book and while you may be able to obscure values by changing where and how they are loaded, you cannot prevent a motivated attacker from reading absolutely anything and everything you do on the client.
This is why Firebase is designed to have API keys and configuration that are safe to be publicly readable -- when you write security rules you are essentially drawing boundaries around what clients can do.
Firebase Remote Config can and should be used for values that are safe for clients to have -- things like feature flags or environment-specific URLs for APIs. It should not be used for sensitive things like private API keys and secrets.
Sorry if this might be a bit of a trivial question, but I wanna be sure and couldn't exactly find a definitive answer online.
I am writing a small app that uses Mapbox, and I am using react-map-gl for it. They require the access token on the client side, so they suggest using an environment variable. My question is would it be okay to simply create a .env file in the front-end folder and put the variable there?
Thanks!
You can't get away from revealing API keys on the front end. If someone wants to dig around in your source code, they will find them.
However, you should always configure any API key that is visible on the Internet to be restricted to specific referrers, i.e. the domain of your website.
Usually this is done during creation of an API key through your provider's dashboard.
For Mapbox, you can read the documentation on restricting API tokens here. It states:
You can make your access tokens for web maps more secure by adding URL restrictions. When you add a URL restriction to a token, that token will only work for requests that originate from the URLs you specify. Tokens without restrictions will work for requests originating from any URL.
(emphasis my own)
They require the access token on the client side, so they suggest using an environment variable. My question is would it be okay to simply create a .env file in the front-end folder and put the variable there?
There are two reasons one uses environment variables in front-end development:
As a convenience, to keep environment-specific configuration removed from source code.
To keep sensitive information out of source code. You shouldn't commit API tokens or other similarly sensitive details to your version control.
Using environment variables in front-end code will not to keep their values secret from the end user. Whatever the value of an environment variable is at build time will be visible in the compiled output.
I am working on an assignment for a dummy phonebook app, which is an "extra points" part of a test for a local frontend job opening. I did some basic apps with angular before, but I always used it along with php and mysql. For this project the requirements state that I can't communicate with a server, so I need to store, edit, delete and search through data without a real database.
I don't even know what options are out there to achieve something like that, neither which one should I choose. I am looking for a simplest tool that could help me achieve those requirements, preferably one that has decent documentation that can help me get up and running as soon as possible.
You can use simple local filesystem and store objects as JSON using JSON.stringify() and parse them back using JSON.parse(jsonstring)
to write phonebook to your server's file
var phonebook = {
'name1' : 234283409,
'name2' : 234253453,
'name3' : 234234236
};
var jsonStr = JSON.stringify(phonebook);
/*
__________________
contents of jsonStr
{"name1":234283409,"name2":234253453,"name3":234234236}
__________________
write a logic here to save this JSON on a file in your server.
*/
to read phonebook to your server's file
//write a logic here to read JSON back from your server's file
var jsonStr = getJSONDataFromServer();
var phonebook = JSON.parse(jsonStr);
//now you can use your phonebook as a usual js object
You can use csv file to store your data.
To store data on the client you can use any local storage methods:
WebStorage: Web Storage API (provides both sessionStorage and localStorage)
gears: Google Gears-based persistent storage
whatwg db: HTML database storage standard
cookie: Cookie-based persistent storage RFC
The best choice depends on the kind of data you need to store, and the usage of that data. The most common choice is WebStorage.
If you use Angular, the great module ngStorage is available, that makes Web Storage working in the Angular Way.
Be warned that:
you'll be able to store only data per user, of course (i.e., you'll not be able to store any global status of the application).
any client storage solution poses strict space limits, which often differ from browser to browser.
If instead you simply don't want to use any local server solution, you could try some cloud platform, like, for example, firebase (just acquired by Google), or others.
you can use Google's Firebase. If firebase is complicated to you then use simple localstorage.
I am trying to create a Google Chrome Extension which Needs to store Data from users for login authentication. Can you please advise me which Database I can try to have with the app? I already tried the SQLite but I am not sure that end users can update the tables by inserting or deleting rows? I also saw some posts about Web Databases but didn't find any thing really useful for it! now my question is:
1- Is SQLite capable to be updated by end users(While eht do not have SQLite on their Machine?)
2- If not, what kind of Secure database I can use instead?
Thanks,
In an extension you can use webDB (apps cannot, however), indexedDB, localStorage and/or the chrome.storage api. The later has the added bonus of not being visible if an end user figures out how to inspect your extension with devtools. If you're worried about credentials being stored as plain text, you can always find a js crypto Implementation somewhere.
This seems like a repeat of the question : Connecting to DB from a Chrome Extension?.
It basically says you should use an intermediary webapp for db calls, and use AJAX to communicate between the chrome extension and that app.
I am using Azure Mobile Services to store images for a web application.
I have managed to successfully upload images to a private container. I've followed the logic in this introductory guide (http://code.msdn.microsoft.com/windowsapps/Upload-File-to-Windows-c9169190), i.e. when uploading the file to the database an SAS is generated by a node script called when inserting a record into a table.
One of the reasons to use this approach from mobile apps is so that the storage key is not stored within the application source itself.
Conforming with that idea I am now struggling to find an example of how to download the images.
Perhaps I should update the read function for the same table and have that return an SAS which can be used to accessed the image.
Does this sound reasonable or are they better approaches?
Any assistance is greatly appreciated.
It sounds to me like you are on the right track. If you are storing the image in a private container and want the mobile device to read it back then yes, you will want to produce a SAS that allows reading and get that back to the device. The device code can then make a call directly against BLOB storage using that SAS URL to retrieve the image.
This applies only if you want the container private. If the container is public then just returning the URL (like they have in the article you link to) should be fine.
It also depends on how private you care the image to be. For example, let's say you have a container created per user. If the container has a Shared Access Signature Policy on it with a really far off expiration date then technically someone still needs the URL with the SAS to view it, but you can create that SAS and store it like the sample. The mobile app can then be given the URL when it reads data from your service and get to the BLOB directly without having it create an additional SAS. In my opinion this option only really works if the images aren't going to be around very long, or you don't really care that if someone sniffs the URL from the network traffic that they can access it.
If you want it fairly secure and do not know how long the images will be around, then you should go with your stated approach of getting a SAS for read when the app reads from the related table data. The SAS can have a fairly short expiry on it and the mobile device can cache the result.