HIDE YOUR OPENSEA API KEY #529
Comments
|
Thanks,I think this is a client side API token.The best way is using a environment variable and inject at bundle process. But even if using a environment variable, people can still see it at web request or javascript bundle result. If this is a security related token or development used token, it is important to hide at souce code and using a server to proxy. Currently both OPENSEA API token or SENTRY_DSN and INFRUA API token are not secuity token. But we will eventually put it in the environment variable at last, and it is currently the test version of the application for better local use. |
loatheb
added
enhancement
|
API has a request limit by key, when you make it public - anyone can use it and you will have more throttled requests |
|
Thanks! We have revoke all OPENSEA API KEY and COVALANT_API_KEY in our code. Currently we are using environment variable to inject., Instead of hardcode into source code.We didn't clear the git history because the token was useless. Otherwise, the reason we didn't use a server proxy was that we wanted to keep the third-party services we used more transparent. And, although we inject through environment variables, these client tokens can still be seen in the final packaging result and runtime. |
No description provided.
The text was updated successfully, but these errors were encountered: