I'm currently interning and trying to learn as much as I can. Recently, my manager and our senior DevOps engineer have been insisting that I "hide" our API URLs and keys from the frontend. They want to ensure these details aren't visible in the browser's developer tools, including the Network and Sources tab. I've done some reading and gathered that anything included in the frontend can potentially be exposed since the API calls and keys are part of the network requests. Is there a misunderstanding on my part? Can API keys actually be protected in web applications?
3 Answers
Chances are your leads are asking you to ensure the API key isn’t exposed to users by making API calls from the server. If they’re referring to hiding endpoints, it’s a matter of routing those requests through your backend, essentially making it a middleman for any sensitive communications.
Yes, anything visible in the frontend is public. Make sure your requests go through a backend proxy to limit exposure. Anything directly accessed by the client is at risk, so always handle sensitive data on the server.
It's crucial to ensure that users authenticate, receiving a temporary access token that allows them to call the API while keeping the actual keys hidden. If any keys are being passed to the frontend, even indirectly, they can be exposed.
Related Questions
How To: Running Codex CLI on Windows with Azure OpenAI
Set Wordpress Featured Image Using Javascript
How To Fix PHP Random Being The Same
Why no WebP Support with Wordpress
Replace Wordpress Cron With Linux Cron
Customize Yoast Canonical URL Programmatically