I built a create-react-app, which essentially pulls back data from http://strava.com. Part of the authorization process of getting data from strava is initially passing a Client Secret ID query parameter.
I have a .env file where I store this key value i.e. REACT_APP_CLIENT_SECRET=1234567890 and my .env file resides in .gitignore so it is not exposed my Git Repo.
I then stored the key value in a Netlify environment variable under Build and Deploy settings.
I set up a Lambda function to handle the Axios call that passes the Client Secret ID to strava (intended to make the call on the server thus securing my client secret). This all works great.
What I didn’t expect however was that the Client Secret ID is still accessible in source source through the client.
I’m a novice in web development and learning as I go. What I don’t understand is whether this is something I need to resolve on the create-react-app side or the Netlify side.
Can someone provide any insight and help me figure out how to secure this?
Thanks in advance.