loading...

Discussion on: How To Write Your First HTTP Request to NASA

Collapse
lietux profile image
Janne "Lietu" Enberg

This really highlights why you really should avoid giving frontend programs access to your API keys and other such tokens and always route requests via your backend.

You give access to your API keys and other secrets to the frontend and literally anyone can see them.

You should
1) Better block out your API key from your screenshots
2) Remove it from your example code
3) Get NASA to invalidate that one and issue you a new one

Edit: I guess the example codes use some demo key, that's probably fine. The screenshot is still easily readable.

Collapse
amazingdev profile image
Amazing Dev
  • This is not an issue if API tokens are restricted by domain.
  • There is nothing wrong with accessing the API from the frontend on its own. In some cases, it's even better (eg. when you don't want to put too much load on the backend, or you don't need to log metadata about these requests)
  • However it is true that more information is exposed, thus some thought should be put into how this can be abused, and how to prevent that.
Collapse
lietux profile image
Janne "Lietu" Enberg

When you say "the API" you probably very specifically mean this API specifically, there's a lot of other APIs that would require you to actually keep your credentials secret, when they e.g. result in billing events. This is why it's a good practice to avoid doing things like this on the frontend.

If your requests are causing too much load on your backend, just think what you're doing to other peoples' backends. Logging etc. is of course configurable, by you.

Collapse
ng_tracyy profile image
👩‍💻Tracy A King Author

The credentials have been invalidated as an extra precaution but thank you!