According to an issue on Github, you can add run a single javascript line before react is loaded to prevent it.
<script>
window.__REACT_DEVTOOLS_GLOBAL_HOOK__.inject = function () {}
</script>
Then, you may consider wrapping this with your environment condition, like that you could do sth like below in your server side rendering. Let’s say Pug (formerly known as Jade):
#{process.env.NODE_ENV == 'production' ? "window.__REACT_DEVTOOLS_GLOBAL_HOOK__.inject = function(){}" : ""}
However, it would be still a good practice to put the business logic and the sensitive data back to your server.