How to hide your front-end API keys

This article is a godsend! I’ve been struggling with this and actually just published an article detailing that I’m going to have to rebuild all of my web apps because of security issues. But now I don’t! Can’t thank you enough- thanks for the great article!

Great article!

Great article. This solution only partly addresses the problem from the browser's point of view. The proxy server can still be tricked by spoofing the origin header using a tool like curl. There's really no way your proxy server would differentiate a spoofed request from a request that originated from the browser.

This article was quite helpful. I had to make a change to api-key-proxy-server to get it to work. Please see this Github issue .

That all sounds right, for web at least, but most of the services that require api key, actually require from you to enter a domain to which this api key is given and for mobiles sha1 of your app at least on android. So requests from different domain and from different mobile app will fail. How this proxy makes things better, what about you will have to pay more for that proxy to work non stop for everybody. Why implementing the same authorization twice?

nice article, really helped me, but I couldn't host the proxy server on heroku, keeps throwing this error

src/config.ts(27,7): error TS2322: Type '{ route: string; allowedMethods: string[]; target: string; headers: { Accept: string; Authorization: string; }; body: string; }' is not assignable to type 'Proxy'

I don't know if anybody, has the same error and I am also trying to work on Github graphql API, that's why I added body