Security concerns - Use case: API endpoints as vars

[IoannisPetridis]

Hello maybe I am missing something here but since the env object can be edited by anyone through the console, then I suppose we don't really gain a lot by exposing it through the index.html right? I am trying to do something similar in my project by using similarly an env var that would expose api endpoints during runtime, and I am wondering if a possible solution would be to call Object.freeze() on that ? So like this:

<title>React App</title>
    <script>
        env = Object.freeze(%REACT_APP_ENV%)
    </script>
</head>

[IoannisPetridis]

As a continuation to the above, would you please elaborate on how this solution makes the setting of values run-time ? I do not understand the usage of the config.json file in conjunction with the published immutable template (index.ejs) file that was generated from the templated index.ejs...

[titenis]

As a continuation to the above, would you please elaborate on how this solution makes the setting of values run-time ? I do not understand the usage of the config.json file in conjunction with the published immutable template (index.ejs) file that was generated from the templated index.ejs...

sorry for bumping old issue, but as I understand config.json, .env file with ejs placeholders and index.ejs are used to quickly generate index.html without doing whole app rebuild. This is useful when you have to deploy same app on multiple environments or when you need to rollback. The production index.html for example would be generated with ejs cli cmd like ejs ./index.ejs -f config.json -o ./index.html.