Correction: Do NOT hide your secrets in the root outline

Nov 3, 2021

1 min read

Scott Hanson

Correction 13 November: you should not use this for real secrets, since the root outline is not really hidden or secure. But for global variables that you don't mind having exposed it should be OK. Caveat emptor!

My video demo yesterday revealed the URL of my Netlify build hook for all to see. It's now been changed, but I need not have revealed. Drummer has a root outline where global variables can be defined.

So in the root outIine I can create an env object, and define an entry for netlifyBuildHook for the URL. (You have to use proper JavaScript object syntax, with brackets, colons and quotes.)

The xhr.open line of my build script can then be
xhr.open("POST", root.env.netlifyBuildHook, true);
without revealing the actual URL.