ICT Group

Tessa van der Heijden

Elixir

Community Picks is a section on daily.dev where our community members share the most interesting and valuable content they've discovered online. From insightful articles to handy tools, every post is a gem curated by our dedicated coomunity. To contribute to Community Picks, you need to have at least 250 reputation points, ensuring that only active and trusted members can share their finds.

Community Picks

Discusses the potential dangers and security risks associated with using client-side environment variables for storing sensitive information, illustrated through a specific case involving Gamersafer. Through detailed recounting of how AWS keys were exposed and the implications thereof, it underscores the importance of server-side API calls for handling sensitive data.

why client-side environment variables are a bad idea

TL;DR: don’t expose 3rd party access keys (AWS secrets, in this case) in the browser. They must stay on the server-side of web applications.
For clarification, the “client-side environment variables” mentioned in this article actually seem to be values in plain JavaScript objects, sent from the server (but should be kept on the server) and viewable in source. I think. It’s a difficult article to parse.
Kudos to the author for their investigation.
But, just an old man gripe: if you’re going to write an article in a human language (English in this case) for the world to read, learn and use the f-ing grammar of the language. At the very least learn how to capitalise. Otherwise you look like an uneducated and lazy child. Have some care in communication, and respect your readers.

Solution if you want to upload via frontend: <a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/PresignedUrlUploadObject.html" target="_blank" rel="noopener nofollow">https://docs.aws.amazon.com/AmazonS3/latest/userguide/PresignedUrlUploadObject.html</a>

isn’t this obvious and if you fall for that, you should quit your dev job and go for janitor or smth?