Hide sensitive information in web page source code

[SteveSuv]

when I view the source code of website built with remix, I found loader data which from database has shown in window.__remixContext. why not hide these data which maybe sensitive.

window.__remixContext = {"url":"/","state":{"loaderData":{"root":{"userInfo":null},"routes/_index":{
   // data from database maybe sensitive
}}}

[sergiodxa]

Anything you return from the loader is going to be sent to the browser anyway, either as part of the rendered HTML or when doing a client-side navigation in the request body.

Your loader shouldn't return anything that you don't want users to have access to.

[SteveSuv]

But this will make it easier for third-party crawlers to steal data. For example, when displaying the user list on the search user page, I will only use uid as the key of users.map, which is not part of the visible content of the page, but all uids will be displayed in the source code. Third-party crawlers will grab these data and store them in their own databases, which is too easy, because the data displayed in the source code is pure json.

[kiliman]

That's one of the drawbacks to client-side rendering. You'll need to send all the required data to render, even if it's not visible.

If you're only using uid as a key, then perhaps instead of sending that, you send a hash of the uid.

Obviously, you'll need to figure out what is appropriate on a case-by-case basis. And in some cases, you may not even have a choice if some critical data is required for rendering logic.

I think that's probably one of the main benefits of RSC is that you can keep some rendering on the server always.

[sergiodxa]

Also even if you only used an SPA, those UUIDs would be accesible on the API response which is easy to discover by inspecting the browser network devtools or intercepting requests in a network, that is supposing someone wants to actively discover and steal that information.