Question: How to store sensitive variables

[leandrodesouzadev]

Hey there.
I did not found any better place to make this question, as i already looked for support on Bigcommerce store help.
We inherited a code base that's deployed as a storefront using this theme. This code base is supporting 2 different stores, with different products, pricing for different countries. Currently some sensitive environment variables are being checked out into the repository (:fearful:) into the config.json file at the root directory.
We're looking for a better way of handling this sensitive parameters, because currently they're available on the storefront HTML when the page is built.
Is there any convention on how we should hold integrations keys (probably on an application server)?

Any help/guidance is appreciated.
Thanks in advance.

[BC-krasnoshapka]

hi @leandrodesouzadev , I don't think it's good idea to keep any secrets in config.json. how do you use them on application server? can you give some example?
regarding described case with different products/pricing/countries - do you know about ability to have multiple channels? sounds it's better way for described case

[leandrodesouzadev]

We have two application servers:
One that proxies big commerce rest API (to get product data that is no available on the graphql).
One that has some business rules about customers, and redirects.

On these applications we keep the secrets secret. But to integrate with this servers we have some API keys, these keys are stored on the config.json. The question is how should we properly store these API keys that must be used client-side?

[emilian]

@leandrodesouzadev You can try https://codebyhooks.com It allows you to setup a proxy API if you want, and it can store encrypted env variables. It only works with Node right now, but working on adding support for Python as well.

[leandrodesouzadev]

We really don't want to pay for a service to do something that's meant to be included.
@BC-krasnoshapka i know you guys don't have any SLA here, but is there any updates on my question?

[emilian]

@leandrodesouzadev Why would it be included to run an application server? Genuinely curious.

[leandrodesouzadev]

What i'm trying to say is that other platforms have their own ways of storing sensitive variables, on .env file for example, this is what i'm saying it should be included.
The question here is how to store this sensitive variables, if there's no other way of storing other than in an application server, then my question is answered.

[emilian]

@leandrodesouzadev Cornerstone is completely frontend, there is no backend access to store variables.

If you have a public API (either proxy or business logic), then you can store the API token in the config.json file. Anybody will be able to see the token if they check the Network tab of their browser. If you have sensitive API tokens then you should be storing those on the application server.

Hopefully that clears it up.