Hey folks, I’m setting up a blog and using API calls to get blog posts from my Laravel backend. I know anyone can peek at the source code and see the endpoints and keys. But do we really need to go all out with security for something like this?
I mean, most websites let you see the backend requests. Is it really necessary to hide this stuff on my own backend? Maybe you could have a handshake endpoint with a hashed secret and use that to set up a cookie, though that seems a bit much for a blog. Or maybe use WebAssembly with Rust to keep some code hidden.
I’m wondering if the effort is worth it or if there’s a simpler way to handle it. What do you think?
3 Likes
You can’t really hide anything in the frontend—if you put keys there, anyone can see them.
Instead, you should authenticate your users, maybe by sending them to an external auth service. Then, the frontend gets a token and uses that token to handle authentication and authorization.
Basically, the frontend acts on behalf of the user, so it only gets to do what the user is allowed to do. You give the user access, and the frontend uses that access to get things done.
2 Likes
To keep your API keys safe, don’t put them in your front-end code. Instead, let your Laravel backend handle the API requests and have your front-end make requests to your backend. This way, your API keys stay hidden on the server.
2 Likes
Hey, don’t stick API keys in your frontend code—keep them in the backend. Make sure you’ve got solid session management so that only authorized users can make API calls.
If you can’t separate frontend and backend APIs, just handle all the authentication on the backend. You can store user info in the frontend session and then pull it out on the backend when needed.
If neither of these options work for you, let me know and we can figure out some other solutions!
1 Like
You don’t—public endpoints that are called directly from your frontend will always be accessible to anyone. You can use CORS to block other sites from accessing your endpoint, but it can still be hit from places like a console or server.
You could hide all blogs behind a login and protect the endpoint with a user token, but that means no one’s going to create an account just for a blog, and SEO will take a huge hit.
There are ways to make it a bit harder for people to access your endpoints, but nothing that will 100% stop them. You need to decide if you want to lock your blogs behind a login and spend a lot of time making things harder to access or just go with what most people do: use DDoS protection and keep things public.
If you’re looking to invest your time wisely, consider learning about static site generation. That way, you won’t need to fetch blogs from the frontend at all.