Having hardcoded credentials in your source code, like passwords, tokens, and API keys can lead to security vulnerabilities, even if the source repo is private, and/or self-hosted.
As a best practice, it is recommended to use environment variables.
In JavaScript, the convention is to use the dotenv package to read secrets from a .env
file.
import { initializeApp } from "firebase/app";
const app = initializeApp({
apiKey: "<YOUR_API_KEY_AS_A_STRING_LITERAL>",
// ^ This setting here may be exposed in error message stack traces etc.
appId: "1:2729...",
projectId: "firebase-project",
databaseURL: "https://<app>.firebaseio.com",
// ...
});
import mysql from "mysql";
const conn = mysql.createConnection({
host: "<url>",
user: "bob",
password: "ABc-07"
});
import { initializeApp } from "firebase/app";
import dotenv from "dotenv"
// loads the variables definied in a `.env` file into the environment
dotenv.config()
const app = initializeApp({
apiKey: process.env.FIREBASE_API_KEY
appId: "1:2729...",
projectId: "firebase-project",
databaseURL: "https://<app>.firebaseio.com",
// ...
});
import mysql from "mysql"
import dotenv from "dotenv"
dotenv.config();
const conn = mysql.createConnection({
host: process.env.SQL_HOST,
user: process.env.SQL_USER,
password: process.env.SQL_PASSWORD
});