How to handle server secrets

[paramaggarwal]

What is the correct method to pass server secrets that were previously passed as environment variables? Razzle requires the RAZZLE_ prefix for all environment variables. Also, env won't be picked at runtime on the server - hence the env setup on the server is irrelevant now.

What's the best practice around secret keys in the world of Razzle? Thanks.

[jariz]

If you don't use any of the 'secret' env vars from your frontend entry point (and so on), it should not package them along with your frontend bundle.
You can safely assume that any env vars that only get referenced from the server side don't get exposed in the client bundle.

Dotenv vars get defined globally with DefinePlugin on both the server and clientside, and should be accessible under process.env.RAZZLE_MY_SECRET as mentioned in the docs

Can you post any examples of your server side code?

[paramaggarwal]

One example was that I have a file called config.json with three objects, development, staging and production. Previously I used to pick this object based on process.env.NODE_ENV. But Razzle limits this to just development and production. Hence, I am now using a separate process.env.RAZZLE_ENV value for the same. I believe that should resolve my problem for now.

Thanks @jariz!