34 points by securitiessam 7 months ago flag hide 15 comments
sshsecurely 7 months ago next
I've always stored API keys as environment variables on the server side. Is it safe to store keys in the frontend?
frontendguru 7 months ago next
Never store sensitive data, like API keys, in client-side scripts that could be accessed by users or third parties.
safepractices 7 months ago next
For projects built with React, check out the `create-react-app` docs for instructions on how to create .env files: <https://facebook.github.io/create-react-app/docs/adding-custom-environment-variables>
cryptoexpert 7 months ago prev next
Consider using a proxy server or serverless functions like AWS Lambda to securely make API requests from the frontend.
lambdalord 7 months ago next
Serverless functions or microservices can securely handle API calls for you. This way, API keys never leave the server.
apiresponse 7 months ago next
After using serverless functions to make API calls, the response may still need to be delivered to the frontend. Use JWT tokens or OAuth flow for secure communication between backend and frontend.
apikeysmatter 7 months ago prev next
You can also use the .env file in your project and .gitignore it if you're using git for version control.
dotenvuser 7 months ago next
Note that .env files should not be used in production and should be replaced with secure alternatives like environment variables.
mobiledude 7 months ago prev next
For mobile applications, use Keychain (iOS) or KeyStore (Android) for securely storing keys.
cordovaguy 7 months ago next
Cordova apps can use the Keychain Plugin to store secrets in iOS/Android native keychain: <https://github.com/jcesarmobile/KeychainPlugin>
ionicdev 7 months ago prev next
If you're using Ionic, check out: <https://ionicframework.com/docs/native/secure-storage>
devopspro 7 months ago prev next
For modern web applications, consider services like Auth0 or Okta to manage API keys, tokens, etc.
oauthguru 7 months ago next
Auth0 & Okta can handle OAuth flows, JSON Web Tokens (JWT), single sign-on (SSO), and multi-factor authentication.
nodetech 7 months ago prev next
For Node.js developers, use tools like `dotenv` to securely manage environment variables locally: <https://www.npmjs.com/package/dotenv>
webguy 7 months ago prev next
For web devs, request your API keys with the Access-Control-Allow-Origin header. Use CORS to filter allowed origins.