0

I have a VueJS (V2) based application, I have Vue Devtools turned off in production however there is a chrome addon called Vue Force Dev available here: https://github.com/hzmming/vue-force-dev that can force dev tools even on production apps. You can see it in the Github ReadMe for VueJs.org which is Vue's prod site.

This opens up a huge security hole in my app, I don't want anyone have ability to see the state of the app. Someone can potentially reverse engineer and cause harm.

I use Vue CLI to build which automatically turns off vue devtools in production. The official Vue Devtools addon does not work however the Vue Force Dev does work.

I also tried adding following to my main.js but its the same result

Vue.config.productionTip = false
Vue.config.devtools = false
Vue.config.debug = false
Vue.config.silent = true

Below is VueJS.org's current prod site as of today. I was able to use the devtools on the site using the addon.

enter image description here

Frontend Backend Bookend
  • 21
  • 5
  • that is normal for vuejs, you cant stop that. So, you have to choose carefully what information shouldn't be passed to the front end. Any backend you're using? – BlackLotus Mar 16 '23 at 17:44
  • no frontend is ever truly "secure". devtools only makes snooping easier. even if you could disable the extension, it's not possible to completely hide your internal state from someone dedicated enough to figuring it out. – yoduh Mar 16 '23 at 17:48

0 Answers0