Using aws mobilehub for our react application, mainly for authentication. I've seen in multiple places that the file that configures the sdk for the project, the aws-exports.js file, should not be included in source control.
Why should it not be in source control? I get that since we need differing versions it should be dynamically updated.. but is there any security risk for the client to be able to see it?
In inspector, we can see the information of the aws-exports.js file in the inspector, and I just want to make sure we aren't exposed to any security risk if, for example, someone perusing our files could see our "aws_cognito_identity_pool_id" or "aws-region" or something like that.
Also, side note- we will eventually have a production build so there will be some minification im sure to obfuscate the information, but just want some clarification on best practices and potential vulnerabilities.
Thanks!
I don't think it's about security, because the file is eventually going to be accessible, by design. It's because the file is dynamically generated.
The
aws-exports.jsfile is a standard JavaScript file that is maintained by AWS Mobile Hub on your behalf. It changes when you add, remove, or edit features within AWS Mobile Hub.
// WARNING: DO NOT EDIT. This file is Auto-Generated by AWS Mobile Hub. It will be overwritten.https://aws.amazon.com/blogs/mobile/integrate-the-aws-sdk-for-javascript-into-a-react-app/
It feels like the motivation behind this practice is to prevent the wrong file from being used, inadvertently, and avoid version control interference and annoyances from having a file that is tracked, but doesn't need to be.