Ask about settings.json's security to meteor team

shincode · November 23, 2017, 2:53am

I got a wonder about security of the settings.json file after seeing all my settings on Galaxy setting page.

There is no bcrypted string(ex: sha256) or even asterisk for hiding keys. it makes me nervous.

I’ve tried to find the explanation about how to managing and saving settings.json file, but it doesn’t exist.

Of course, I already hid settings.json from CVS and any online-availabe services.
But I concern and curious about how Galaxy handling this problem.

Thanks.

robfallows · November 23, 2017, 11:24am

The only settings made public are those you have explicitly defined as public in your settings.json file. For example:

{
  myPrivateKey: 'abc123',
  secretObject: {
    firstSecret: 999,
    secondSecret: [1,2,3,4]
  },
  public: {
    anyoneCanSeeThis: 'xyz',
    thisIsNotSecret: 345
}

Only anyoneCanSeeThis and thisIsNotSecret will be available on the client: that includes within the code itself, since browser JavaScript is accessible to anyone.