Menu
In various tutorials I'm finding them all saying that "JWTs should be signed by an environment variable and not hard-coded into an application". From a security standpoint, if a hacker were to gain access to my Node.js application's source code, I'm assuming they could also see the environment variables on the server's system? How is it inherently more secure to call an environment variable from within Node vs. hard-coding the app's source code?
772
There are several reasons for this.
1) Your signing key for the JWTs should be different for each environment (e.g. you don't want your developers knowing your production signing key). The easiest way to achieve this is to use environment variables.
2) You should abstract secret things out of the codebase. So that either means a config file or environment variable.
3) If someone does get access to your source, they at least won't have the keys to the kingdom.
4) Separation of concerns.
95
answered Oct 24 '25 07:10
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
