DEV Community

Ali Hussain Dhuniya
Ali Hussain Dhuniya

Posted on

1

API token with env variable is not secure -Get Access token easily of Contentful project

But that doesn't matter. what?

It's up to you. If you have backend service then you have to hide it otherwise it can cause security issue. Even if you are consuming data with GET request only. I would recommend to hide it.

If you don't know about sever side, proxies, serverless then use Cloudflare. Later on, I will show you different ways to hide APIs from client.

Alt Text

This is how contentful team describe it

pedro.carvalho
Contentful Team
Nov '17
As a general rule any configuration value, even if unrelated to security, should be kept off of source control. I would always recommend committing only placeholders. That’s just a good practice that should always be followed.

That being said, allowing the public to learn your space Id and Content Delivery API (CDA) token isn’t a security issue if that space holds only content meant for public consumption. The reasons are:

CDA is read-only. No one can use its token to change your content, so that’s safe.
Content is public in this scenario, so the worst that can happen is someone very technical firing up a REST client and getting it without going through your site - which isn’t very legible, as it’s all JSON payloads
If you’re concerned about the risk of a malicious agent using that token to cause a lot of API calls, remember that the risk is no higher than that agent simply loading your site a lot of times. There’s no measurable security difference.

If your content is meant for consumption only by logged in users, on the other hand (ex: premium content for users only), then we recommend you don’t expose the CDA token and keep it server-side, routing all CDA calls through there instead.

In any case, please always keep placeholders in your public repository and never actual tokens. Like I said, it’s a good practice to follow.

List of resources is shown in the video:

  1. The youtube video which shows storing Access token with .env variable
    link: https://www.youtube.com/watch?v=PB5RQk5gAdQ
    timing: watch from 10:29

  2. dev.to post
    link: https://dev.to/tarekhassan410/react-js-contentful-starting-32h3

  3. contentful example app
    link:https://www.contentful.com/developers/docs/javascript/example-apps/

  4. A forum post on Should I keep Access Tokens secret?
    link: https://www.contentfulcommunity.com/t/should-i-keep-access-tokens-secret/457/2

  5. site to enter space ID and Access token
    link: https://discovery.contentful.com/

  6. Demo website and code which are used in this video

demo: https://contentful.github.io/gallery-app-react/
code: https://github.com/contentful/gallery-app-react

Thank you

Auth0

Auth0 now, thank yourself later. 😌

TIL you can do all of this for free with Auth0, plus you now get 5 Organizations for your B2B app.

Try free today

Top comments (0)

Sentry workshop image

Sick of your mobile apps crashing?

Let Simon Grimm show you how to fix them without the guesswork. Join the workshop and get to debugging.

Save your spot →

👋 Kindness is contagious

Discover a treasure trove of wisdom within this insightful piece, highly respected in the nurturing DEV Community enviroment. Developers, whether novice or expert, are encouraged to participate and add to our shared knowledge basin.

A simple "thank you" can illuminate someone's day. Express your appreciation in the comments section!

On DEV, sharing ideas smoothens our journey and strengthens our community ties. Learn something useful? Offering a quick thanks to the author is deeply appreciated.

Okay