HTTP 403 on .data

I have a project that uses Firebase and I thought that the safe way to store the Firebase access details would be to put them in .data/. So I have .data/config.js that contains the firebaseConfig JSON provided by Firebase.

But I get an HTTP 403 when my project tries to load this file. I don’t understand why. Is this directory supposed to be accessible when a project runs? If not, where should I put the Firebase info?

You’re right, .data files are not present in remixes.

However, I would mildly suggest following ~firebase-quickstart and putting the secrets in .env; it’s a more conventional setup, at least on Glitch.

Probably, you want the firebaseConfig to be accessed by the server-side code, not the client-side code? (because if you send the secrets to the client they’re not very secret). If you put the secrets as KEY=value pairs in the special .env file, then you can access them as process.env.KEY in the server-side code, which is convenient.

If you don’t want to use .env, you could load .data/config.js using something like const config = JSON.parse(fs.readFileSync('.data/config.js', 'utf8')), somewhere in your server-side code.

Hope this helps,


Thanks, I’ll try using .env instead. I don’t understand why .data/config.js gets a 403 though. Aren’t files there supposed to be accessible?

If your project does not contain a package.json file then Glitch treats it as a static site. Static sites cannot not really have secrets, since they send everything to the client.

However, Glitch’s static site webserver does block access to paths such as “.env” and “.data”. This is for consistency with Glitch’s behavior on Node project. Glitch treats your project as a Node project if it does contain a package.json file. You might, in the course of editing your Node project, remove package.json, and you would not like your secrets to be accidentally temporarily published to anyone on the internet who visits

Hope this helps,


I really appreciate that you’re trying to help, but honestly I’m more confused now than when I started. This project worked last summer and hasn’t been changed since then. Now it does not work, and I don’t understand why or how to fix it.

I moved Firebase credentials to .env but now I get errors that process is not defined, so the project still doesn’t work. I think that’s because I’m trying to use it in client-side code. But I’m not a web developer and I don’t know anything about node, and I don’t know how to make client side and server side code work together on Glitch.

You can’t access .env from the client. Since you’re connecting to Firebase on the client anyone will be able to view your Firebase connection credentials.