DEV Community


API token with env variable is not secure -Get Access token easily of Contentful project

Ali Hussain Dhuniya
Learning Frontend Development
・2 min read

But that doesn't matter. what?

It's up to you. If you have backend service then you have to hide it otherwise it can cause security issue. Even if you are consuming data with GET request only. I would recommend to hide it.

If you don't know about sever side, proxies, serverless then use Cloudflare. Later on, I will show you different ways to hide APIs from client.

Alt Text

This is how contentful team describe it

Contentful Team
Nov '17
As a general rule any configuration value, even if unrelated to security, should be kept off of source control. I would always recommend committing only placeholders. That’s just a good practice that should always be followed.

That being said, allowing the public to learn your space Id and Content Delivery API (CDA) token isn’t a security issue if that space holds only content meant for public consumption. The reasons are:

CDA is read-only. No one can use its token to change your content, so that’s safe.
Content is public in this scenario, so the worst that can happen is someone very technical firing up a REST client and getting it without going through your site - which isn’t very legible, as it’s all JSON payloads
If you’re concerned about the risk of a malicious agent using that token to cause a lot of API calls, remember that the risk is no higher than that agent simply loading your site a lot of times. There’s no measurable security difference.

If your content is meant for consumption only by logged in users, on the other hand (ex: premium content for users only), then we recommend you don’t expose the CDA token and keep it server-side, routing all CDA calls through there instead.

In any case, please always keep placeholders in your public repository and never actual tokens. Like I said, it’s a good practice to follow.

List of resources is shown in the video:

  1. The youtube video which shows storing Access token with .env variable
    timing: watch from 10:29

  2. post

  3. contentful example app

  4. A forum post on Should I keep Access Tokens secret?

  5. site to enter space ID and Access token

  6. Demo website and code which are used in this video


Thank you

Discussion (0)