Data exposure in client side[Solved]

well i was working on the API stuff using the meteor where one needs to provide the key and secret to run the API. While all worked with no problem i came up with serious issue…where after my inspection(using chrome inspector tool) those keys and secret is completely exposed. I even tried the export method of stroing the variable and it still was exposed. Someone care to give me some suggestion on what can be done !

One strategy is to use the METEOR_SETTINGS environment variable.

A similar technique is to use a Meteor settings file.

Both these options let you use the 'Meteor.settings` API to access the data. Done correctly, neither will expose secret data to the client.

There are other ways to achieve the same results, including server-only imports.

You will also need a strategy to avoid accidentally publishing codified secrets to GitHub!


Thank you for the response. I will try with those environment variable setting. And will hopefully get the answer.

If you import file which contains keys, you can put that file in a folder named ‘server’.

I tried with “settings.json” and its working… the only this is…how do make it work after i deploy it. I am using mup for deploying it

@robfallows @minhna Thank you for help guys… the problem has been solved. I solved it by using the meteor.setting env variable method…!


If you’re not already dividing your app code into server/ and client/ directories, consider doing that. Otherwise all your server code will be shipped to the client. The Meteor guide has a good explanation of how to structure your app and avoid exposing your server code.

you are right. Well since i am a beginner i didn’t know the code could be exposed so easily. Now that i know how easy it is to expose if you dont structure it carefully. So yeah i am so gonna reconsider my code structure and file structure decision. And many thanx to this forum.


What problem i had was i had written all my api code in my client JS file (where i used the API secret and API key) and hence exposing(from the inspect utility of chrome) those keys. So to tackle this what i did was the use of ENVIRONMENT variable “settings.json”. It worked fine in my local host but was difficult while deploying(i was using “mup” to deploy). To my surprise the “settings.json” file was already inside the “.deploy” folder which was in root of my project. Then i just copy pasted the json format keys and passed those keys to my client file and hence the data exposure was prevented. Hope it helps to upcoming beginners.