Hi everyone,
We are currently implementing an Adobe Commerce on Edge Delivery Services (EDS) storefront connected to AEM Sites as a Cloud Service.
In our current setup, the file https://example.com/configs.json is publicly accessible from the browser.
This file contains environment-related configurations and API endpoints required for the Drop-ins initialization.
While this approach works functionally, it raises a security concern for production environments since the file is exposed and potentially reveals sensitive configuration details.
I would like to know what Adobe recommends as the best practice for handling environment configs and secrets in EDS storefronts.
Specifically:
Should these values be managed through a secure service, such as Adobe App Builder runtime variables?
Is there a supported mechanism to inject configuration dynamically without exposing it client-side?
Would Adobe recommend using a CDN layer (Fastly/Cloudflare) or a proxy to protect this configuration?
Any official guidance, documentation, or examples from production implementations would be greatly appreciated.
Thanks in advance!
