Where to put sensitive data files?

[captaindirgo]

I want to use a custom json file for storing things like cryptokeys and database urls and other sensitive stuff. Obviously it shouldn't be checked in, and I would rather not put it anywhere under 'src' to avoid confusion, but I can't seem to find a good place for it. If I leave it in the root project file, "npm run build" won't copy it over.

[accuser]

A .env file in the root of your project (or package, if you're in a monorepo) would be the normal place to store these. The way SvelteKit work, the environment variables can be imported statically (i.e., they are injected at build time) or dynamically (i.e., they are read at run time).

[teemingc]

https://kit.svelte.dev/docs/server-only-modules

The section from the docs above give a pretty good overview for storing private / sensitive information.

[captaindirgo]

Yes, but that requires putting them under "src/lib". Since I don't want this file checked in with the other data, I'd rather not put it anywhere under "src" to avoid someone accidentally checking it in and uploading it to github. I know I could use .gitignore, but it just seems awkward to put instance-level configuration files into "src"

[teemingc]

Yes, but that requires putting them under "src/lib". Since I don't want this file checked in with the other data, I'd rather not put it anywhere under "src" to avoid someone accidentally checking it in and uploading it to github. I know I could use .gitignore, but it just seems awkward to put instance-level configuration files into "src"

Sounds like using .env at the root is the way to go

[aloker]

My two cents: Basically every modern deployment option provides one means or another to inject environment variables - from simple project settings to Kubernetes secrets. I typically don't deploy an .env file at all. Those are only for development. So just add them to your .gitignore and use the deployment specific way to inject environment variables.

How are you deploying?