Concerns about security with credentials visible on the front end
Closed this issue · 3 comments
There is something I don't quite understand, since next.js executes code from both the backend and the frontend, it requires part of the code to be executed from the frontend.
I wonder if the credentials of the GraphQL API endpoint would be accessible from the frontend through the window.__NEXT_DATA__ global variable.
And if it is, how would you recommend to securely authenticate to a graphql server? I'm thinking of using a proxy so that the credentials are server-side.
This may not be a concern for a graphql endpoint that is public, but is definitely a concern as soon as there is authentication, and can be easily overlooked.
@adamsoffer I've recorded a video that showcases the security issue I was talking about. I believe a warning should be issued in the README page and examples so that newcomers don't fall into that trap.
@Vadorequest Thanks so much for opening this issue and raising this concern. I imagine there's a recommended way to secure a GraphQL API endpoint with Next. If you find out could you let me know? I'll make sure to add that to that use case to the README. Thanks again.
Cheeers.
Thanks for your feedback, I created a thread about it at https://spectrum.chat/next-js/general/recommended-way-to-connect-to-a-graphql-endpoint-using-next-js~ff2c45d6-626a-4aed-90b7-e590b5fcfa6a