#for the movie watchlist solo project,

1 messages · Page 1 of 1 (latest)

hoary jasper
#

for the movie watchlist solo project, we need apikey added to the fetch URL, is that a safe thing to do ???

slow ferry
#

For the purposes of this project using free api key, it’s fine. But in real projects you would want to do two things:

  1. Create an environment variable and use that as the api key in your code. Add .env to your .gitignore file so that when you make commits to your GitHub repo, it doesn’t push the api keys to the repo. There are bots that crawl GitHub looking for exposed api keys.

  2. Using environment variables do not protect keys being exposed on the front end. Compilers, etc, will embed that key into your code sent to the client. You can actually see the api key using dev tools. The only safe way to use an api key and not have it exposed is to call the api from the backend. You could use netlify functions or google cloud functions, or your own backend if you develop that.

#

For this project, with a free api key, the worst that would happen if someone uses or abuses your api key is that you hit a quota limit and your site won’t be functional. You’re not losing any money.