Exactly.

That’s a great pattern, just make sure that you disable CORS for that API. You want to make sure that only your website can access that api. Good job!

edit: i've just rewatched the part of your video regarding on proxy servers and realised that I misunderstood what you were saying. I had the proxy server send the secretApiKey to the front end when requested, which is clearly a weakness, and not what you were saying. However, my AWS env variables solution is still good (i hope)

edit2: This doesnt work. Even the AWS env variables are available in the browser code

No problem, glad I could help.

+1

restart NPM I had the same problem.

Use a well respected, well maintained 3rd party library to handle the generation of API keys.

@@PortEXE Thanks!!!

Make sure CORS is disabled. Look into CORS.

PortEXE thanks so how exactly would I protect the route from users but allow fetch requests?

No that is incorrect.

In a way he is correct, however you now have the control over your server and you can validate the requests yourself before executing the request. For example, you may add authentication and tokens to ensure that user is eligible to do that request. Another example, you may throttle attacks, log incoming requests and find anomalies to detect hackers.

this is the truth!

exactly, please do not rely only on CORS!!!

I built a web app for fun from superheroapi.com to seach and showcase some super hero data (this was before I knew about .env), and my api was stuck right in the code. I was able to get it to render locally, but when I tried to deploy to firebase, it kept kicking out cors errors. Now i dont really care if someone gets the api key and sends get requests on my behalf, since it's just a toy api in the first place. My workaround WAS going to be to run it using the cors-anywhere npm package (www.npmjs.com/package/cors-anywhere) but I realized that didn't get to the heart of my issue/knowledge gap. I put that off to the side as I got some freelance volunteer work that I was offered (pastor at a church). I built it using a gatsby starter and connected it to firebase for deployment after setting up a wordpress plugin to pull in the guy's sermons and messages to the flock(the wp plugin didn't require an api since it was just a get request to the wp server). Now at the point where I did connect the firebase plugin, I did save all the api keys to .env files as per standard. I ran gatsby build, firebase deploy, and git push to save my work. A few hours later, I got a git guardian message saying a google secret was exposed. ^%*#@%. I read up on the docs from Firebases and I kinda got the impression that the open key was like the main key and wasn't exactly a 'secret', since you were usually trying to get people to hit your page. Kaaay..... But what happens on my next project, where I have to set up an e-commerce store and process payment data? Sure want to keep that secret, right???? And I've mostly worked on front-end stuff like JS and frame-works, havent even touched server-side node, and now stack overflow is telling me to use functions to process all my calls. Kaaay..... Questions:

Can I script api calls the same way on the back-end as on the front-end? async/await? Will saving the API key in the back-end function keep the key protected, or should I have it reference another file inside my db or something? Bonus and Unrelated: Would also like to set up some kind of page rebuild of his website when he makes a new post on wordpress. Can you point me in the right direction??? If you can help me out, that would be amazing.

It would still be easily viewable within the browser. System variables are environment variables. It’s the same thing.

You’re welcome

Yes!

Which information would you have included