I’m looking into using the “Make this request through a server” feature when calling REST APIs in order to hide tokens used to authenticate my app to a third party API.
In full-stack development, we typically use back-end to back-end calls to keep these authentication tokens hidden. I’m wondering if this feature provides a similar level of security by handling the requests server-side, hence removing the token from the front-end source code.
Could someone confirm this? Any insights would be appreciated.
For small projects, I would like to avoid setup a back-end.
I could use the Weweb auth and rely on third party API. I don’t want to have back-end just to hide credentials.
Thanks for your responses. I understand your points, but perhaps I wasn’t clear in expressing my query.
I recognize the standard approach is to handle these details in a dedicated back-end. However, for my current prototype project, setting up an entire back-end just for a single API call seems rather excessive.
My question isn’t “should I use Weweb for this?” but rather “Is Weweb safe for this purpose?”
More precisely, I’m trying to understand how “Make this request through a server” functions. Does the front-end simply pass the full request to the back-end to perform, thereby keeping the authentication token of the third-party API stored in the front-end? Or is the request already ‘stored’ in the back-end and simply triggered by the front-end, meaning the token would be stored back-end side, not in the front-end?
everything in weweb lives in the client so everything is exposed, except private fields in plugin and specific actions of weweb’s official plugins.
My understanding is that “Make this request through a server” will ship all the details of the request to the client, and then weweb’s server will proxy the request. It is not meant to keep private tokens private, it is meant to bypass CORS errors for api that don’t handle it (and often that’s a sign that the api is not meant to be called from the client).
As Jared said anything that you want to keep secret should be done from your backend of choice.
