Application Modules

Security & Secrets

Keep secrets out of Git and the browser using env var expansion and Tera templating in proxy configurations.

Edit this page on GitHub

Security & Secrets

To prevent secrets from being checked into Git or leaked to the browser, the inject_headers and target configurations support environment variable expansion using the ${env.VAR_NAME} syntax.

For advanced use cases, both target and inject_headers values support dynamic Tera templating (e.g., {{ env.VAR_NAME }}).

  • In Community Edition (rescile-ce), these variables are resolved from the system’s environment variables.
  • In Enterprise Edition (rescile-portal), these variables are resolved from the workspace’s secrets map defined in rescile-portal.toml, allowing different environments (dev vs prod) to use different credentials transparently without altering the module code.

  1. ${env.VARIABLE} (Regex Expansion)

    • Evaluated by a simple regex replacement (expand_env_vars).
    • Runs faster since it completely bypasses the Tera templating engine if no Tera tags are present in the string.
    • Ideal for straightforward interpolation, such as placing an API token into a static target URL or header.

  2. {{ env.VARIABLE }} (Tera Templating)

    • Evaluated by the Tera templating engine (which has access to an env object in its context).
    • Enables complex logic, advanced filters (like cryptographic signing via hmac_sha256), and interaction with the request context object (which provides method, path, query, body, headers, and timestamp).
    • Best for advanced proxy configurations that require dynamic payload hashing or conditionally constructed headers.

Note: The proxy.toml file is parsed by the server and explicitly excluded from the static file server. It will never be served to end-users.