Security: Definition.json exposes sensitive information at client side


I would like to use the definition.json for the database credencials, but noticed that they are pusehd and visible at the client's browser as a response to the 'get':

    "type": "inventory",
    "instanceId": "yui_3_7_3_1_1365525487840_52",
    "config": {},
    "defaults": {},
    "definition": {
        "db_settings": {
            "ipServidor": "",
            "usuario": "test_user",
            "password": "something"
    "assets": {

Is there any workaround for this, so that the db credencials or other sensitive info would not propagate to the client?

kind regards,

2 Replies
  • Arska, you can use the context to restrict certain configurations to a particular runtime. More information about the context here:

    • http://developer.yahoo.com/cocktails/mojito/docs/topics/mojito_using_contexts.html

    And here is an example:

            "settings": [ "master" ],
            "foo": "something"
            "settings": [ "runtime:server" ],
            "foo": "something else",
            "bar": "something new"

    where foo has a different value for client and server, and bar is only available on the server runtime.

    This is one of the most powerful features in mojito configuration infrastructure, and you can use the same principle at any level in the configuration.

  • Thanks Caridy, awesome...


Recent Posts

in Yahoo! Mojito