Hiding API keys with Netlify and conceal Netlify functions

bubastis · August 17, 2020, 2:49pm

I’m using a vanilla JS script to interact with the Airtable API.

The API and the base are stored in this short Netlify function:

exports.handler = function(event, context, callback) {
  const secret = [process.env.AIRTABLE_API, process.env.BASE_ID];
  callback(null, {
    statusCode: 200,
    body: JSON.stringify(secret)
  });
};

It works great when invoked via fetch in my frontend js file. However, I can still see my function if I try to access /functions/ directly. How can I protect it from everything but my main .js file?

perry · August 21, 2020, 7:09pm

hey there. We’ve been a little short staffed this week, but we’ll get you an answer from a functions expert as soon as we can. thanks for your patience!

fool · August 25, 2020, 10:14pm

When you say you can “see your function directly”, what do you mean exactly? You shouldn’t be able to download the source code from the deployed functions, but we definitely don’t block you from hitting https://yoursite.com/.netlify/functions/funcname directly.

Perhaps your functions folder is INSIDE of your dist folder? That WOULD deploy your functions’ source code in a way you could download, so try moving it outside, if that’s what’s happening

Topic		Replies	Views
How to hide an API key on a HTML page Support lambda-functions , security	3	4241	August 11, 2023
Deploying hidden API-key client-side Support deployment , netlify-newbie	2	682	March 30, 2021
Creating environment variables for client side code Support lambda-functions , environment-vars	3	674	August 5, 2019
Writing to AirTable via netlify functions Support lambda-functions , netlify-newbie	13	1251	June 22, 2021
Hiding API Keys with Netlify Functions in Gatsby Support lambda-functions , gatsby , environment-vars	1	1530	August 14, 2020

Hiding API keys with Netlify and conceal Netlify functions

Related topics