[TZubiri]

I had this issue with a React app I inherited, there was a .env with credentials, and I couldn't figure out whether it was being read from the frontend or the backend.

So I ran a static analysis (grep) on the apk generated and

points light at face dramatically

the credentials were inside the frontend!

[jaredwiener]

Why would you have anything for the backend in an APK? Wouldnt that be an app, that by definition runs on the client?

Most frameworks also by default block ALL environment variables on the client side unless the name is preceded by something specific, like NEXT_PUBLIC_*

[mcpeepants]

> Most frameworks also by default block ALL environment variables on the client side

I’ve been out of full stack dev for ~5 years now, and this statement is breaking my brain

[TZubiri]

Why would you have anything for the backend in a browser app? Wouldn't that by definition run on the client?

These kind of node + Mobile apps typically use an embedded browser like electron or a builtin browser, it's not much different than a web app.