But that doesn't matter. what?
It's up to you. If you have backend service then you have to hide it otherwise it can cause security issue. Even if you are consuming data with GET request only. I would recommend to hide it.
If you don't know about sever side, proxies, serverless then use Cloudflare. Later on, I will show you different ways to hide APIs from client.
This is how contentful team describe it
pedro.carvalho
Contentful Team
Nov '17
As a general rule any configuration value, even if unrelated to security, should be kept off of source control. I would always recommend committing only placeholders. That’s just a good practice that should always be followed.
That being said, allowing the public to learn your space Id and Content Delivery API (CDA) token isn’t a security issue if that space holds only content meant for public consumption. The reasons are:
CDA is read-only. No one can use its token to change your content, so that’s safe.
Content is public in this scenario, so the worst that can happen is someone very technical firing up a REST client and getting it without going through your site - which isn’t very legible, as it’s all JSON payloads
If you’re concerned about the risk of a malicious agent using that token to cause a lot of API calls, remember that the risk is no higher than that agent simply loading your site a lot of times. There’s no measurable security difference.
If your content is meant for consumption only by logged in users, on the other hand (ex: premium content for users only), then we recommend you don’t expose the CDA token and keep it server-side, routing all CDA calls through there instead.
In any case, please always keep placeholders in your public repository and never actual tokens. Like I said, it’s a good practice to follow.
List of resources is shown in the video:
The youtube video which shows storing Access token with .env variable
link: https://www.youtube.com/watch?v=PB5RQk5gAdQ
timing: watch from 10:29dev.to post
link: https://dev.to/tarekhassan410/react-js-contentful-starting-32h3contentful example app
link:https://www.contentful.com/developers/docs/javascript/example-apps/A forum post on Should I keep Access Tokens secret?
link: https://www.contentfulcommunity.com/t/should-i-keep-access-tokens-secret/457/2site to enter space ID and Access token
link: https://discovery.contentful.com/Demo website and code which are used in this video
demo: https://contentful.github.io/gallery-app-react/
code: https://github.com/contentful/gallery-app-react
Thank you
Top comments (0)