Leaking sensitive information?

[benderunit]

Is this http://hapi-reactstarterkit.rhcloud.com/ an example for running this starter kit in an production environment? If it is, I think it's leaking sensitive informations through the running webpack server. It serves informations like the iron secret through the config.js file.

[Dindaleon]

@benderunit Yes indeed. What do you suggest? Perhaps, having the secret key as environment variable?

[nym]

Does it exhibit the same problem when running as prod?

[FullStackForger]

No it does not @nym
You can run it

SECRET="YOUR_SECRET_KEY" node server.js

with key set to your environment. This is how it is done to protect code from commiting sensitive information into repositories.