Where should I store secret strings on Node server?
The common solution is to add a config.js.example
file to version control (that contains empty/dummy values to document what's available).
Then you add config.js
to .gitignore (or whatever suits your VCS).
To run your application you simply copy config.js.example
to config.js
and put in the proper values.
Of course the path to config.js
can be taken from an environment variable to allow easily using different configs - but still, you wouldn't put the actual config files under version control (unless you have a separate private repo for config files etc)
It does make sense to always require a config file to exist. Even in development. While the default settings may be suitable, chances are good that many developers on your application want to configure things anyway or simply test things with non-default values.
The dotenv
package can be used to load configuration and secrets from a .env
file into process.env
. For production, the .env
file doesn't have to exist.
Example:
require('dotenv').config();
const oauth2 = require('simple-oauth2').create({
client: {
id: process.env.TWITTER_CONSUMER_KEY,
secret: process.env.TWITTER_CONSUMER_SECRET
}
});
.env file:
TWITTER_CONSUMER_KEY=bMm...
TWITTER_CONSUMER_SECRET=jQ39...
.gitignore:
.env