Most things that runs on client-side can be tampered with, if they so choose to, they could inspect your page (or just look at the network requests) and extract out the API key.
If you try out Google APIs, they let you generate a key and restrict it by HTTP Referrer.
You can also use Netlify’s proxy to put both the front-end and back-end under the same domain, eliminating problems with CORS.
Most things that runs on client-side can be tampered with, if they so choose to, they could inspect your page (or just look at the network requests) and extract out the API key.
If you try out Google APIs, they let you generate a key and restrict it by HTTP Referrer.
You can also use Netlify’s proxy to put both the front-end and back-end under the same domain, eliminating problems with CORS.
Thanks. If it's
netlify.toml, it is easy to hide.