secretKey on frontend?

[chug2k]

The instructions ask you to put your secret key as a parameter. But to my understanding...you probably do not want to publish your secretKey in a client React App. Am I missing something?

[anthonyalviz]

use a .env file and add it to your .gitignore file.

[chug2k]

Understood that would keep it out of your git repository, but doesn't that still publish your secretKey when you eventually push your source code?

The build step would replace the output with your secretKey, and then every client would download the .js file ... with your secret key?

[ghassanmas]

I agree with @chug2k,
I think the deafult instruction on the readme should explain more about the vulnerability of exposing the keys, thought the ploiciy used stricits requests to site origins only, still that wouldn't be enoguh.
AWS has tutrolial of similiar use case,s3-example-photo-album, where they included this warning in the begining:

If you enable access for unauthenticated users, you will grant write access to the bucket, and all objects in the bucket, to anyone in the world. This security posture is useful in this example to keep it focused on the primary goals of the example. In many live situations, however, tighter security, such as using authenticated users and object ownership, is highly advisable.

I think simliar message wording should be added to the readme.