Hiding api url in reaction / reduction application (proxy)

Question

Hiding api url in reaction / reduction application (proxy)

I care about the security of my response / redux application since my api url is exposed to the public inside the associated app.js. I researched this, and some developers proxy in some way instead of using my api url I can use api/whenever I make calls with libraries like axios or superagent and it proxies to my api url, but in this way users can only see api/on their side.

I'm trying to figure this out, I suppose this is configured in express configuration?

+4

javascript node.js reactjs redux express

Ilja Jun 22 '16 at 12:59

source share

1 answer

0xRm · Accepted Answer · 2016-06-22T18:27:25+0000

You have a serious problem.

As a rule, your client code will call, say, / api, and on the express (or any other server that you use), create a route for "/ api" that proxies the request for the actual api url.

This way you can hide any confidential information from the client. For example, authentication tokens, api keys, etc.

In express, you can do something like this:

app.use('/api', (req, res) => {
  const method = req.method.toLowerCase();
  const headers = req.headers;
  const url = 'your_actual_api_url';

  // Proxy request
  const proxyRequest = req.pipe(
    request({
      url
      headers,
      method,
    })
  );

  const data = [];
  proxyRequest.on('data', (chunk) => {
    data.push(chunk);
  });

  proxyRequest.on('end', () => {
    const { response } = proxyRequest;
    const buf = Buffer.concat(data).toString();
    res.status(response.statusCode).send(buf);
  });
});

This example is a bit more complicated, which should be, but it will probably work for you.

Hiding api url in reaction / reduction application (proxy)

More articles: