Home > OS >  Hide secret keys in network payload
Hide secret keys in network payload

Time:05-31

I have a Vue Storefront which, out of the box, exists of a Nuxt.js front-end and a Express.js back-end.

In this project I created a custom Server Middleware (which is the Express.js part) that has an Axios call in it. My entire Vue Storefront project is hosted and deployed on a server where I also store the secret keys for the Axios call as eviorment variables. Whenever I request data via the Axios call on the deployed website, I can still see my secret keys in payload in the browser console.

Can these keys be hidden? Since the call is done in the VSF Server Middleware (which is a Express.js server under the hood) and my secret keys are defined on the server too... Not in a .ENV file.

The official docs also state the following about the server middleware:

  • Securely store credentials on the server without exposing them to theend-users of your application,

I also have Server Side Rendering enabled, if this has any effect on this.

CodePudding user response:

As explained in my previous answer here, you cannot really hide anything on a client side app.

The fact that you do have ssr: true and target: 'server' enables the usage of a serverMiddleware. Nuxt is also an Express server, so you could technically still totally hide stuff, the configuration of this one is detailed here. Please pay attention to the whole answer (especially the gotcha at the end).

The TDLR is as mentioned above: you'll need some kind of proxy to hide that, so you could do that:

  • directly with Nuxt2 but it's kinda tricky and hard to work with overall, on top of paying a whole Node.js server and a possible mistake exposing those tokens at some point
  • get another Node.js server to properly separate the concern and use that one as a proxy, it can be pretty light (no need for a beefy configuration), not as expensive price-wise
  • a serverless function could be the best idea here because it's light, cheap and you don't need to manage anything (send your query there, it will proxy the request with the secret token) but it can be a bit annoying regarding cold starts
  • Related