Home
Support Forums

How can I stop the data I post to a netlify function from being returned to the browser in response config object

I’m posting a password field to a netlify function. I notice that the response object contains the object posted to the function. This means that the password field is returned to the browser in plain text. Is there anyway I can stop this value from being returned in my response. My actual response body comes back in a data key and looks good. I don’t need the data I posted returned though.

Hi @rebeccapeltz

Can you give an example of the function you are using, what and how your response is returned?

As I have posted elsewhere in these forums, I am of the firm believe that passwords should never get sent in plain text. As such I will repost this portion of that answer:

Use HTTPS. Securely hash passwords, irreversibly, with a unique salt per password. Do this on the client - do not transmit their actual password. Transmitting the users original password to your servers is never “OK” or “Fine”.
– Source: security - Should I hash the password before sending it to the server side? - Stack Overflow

Hi Coel,
There are a lot of opposing opinions on the Stack Overflow you shared about whether to hash or rely on HTTPS with some thinking the question is about posting passwords over HTTP.
I’m familiar with hashing before storing a password in persistent memory, but what I’m doing is sending a KEY (like a pw) from a client hosted on netlify to a serverless function on netlify over HTTPS. I’m not sure why I should hash it if HTTPS is doing that. I’m not storing the KEY anywhere so the only place where it should be available as plain text is within the serverless function.
What I’d like to do is not return the config which contains the data posted from the serverless function.
I’m trying to pass an API key from client to server rather than storing the key on server env variable. This is to allow people with different KEYS (accounts) to call the function that relies on the key.

Without getting into all the code here’s the signature and parsing of the posted data

exports.handler = async (event) => {
// parse data from body
const data = JSON.parse(event.body);
console.log(“data:”,data);

at the end I make a call to another API and here is the return to the client

try {
const response = await axios.post(API, body);
return {
statusCode: response.status,
body: JSON.stringify({ message: “success” }),
};
} catch (error) {
return {
statusCode: 500,
body: JSON.stringify({ message: “error” }),
};
}

I was expecting to just get the statusCode and message: “success”, but I see that I also get the config object containing what I posted.

I’ve seen documentation about custom responses and I was wondering if I could customize the response to not include the config object.

Thanks,
Becky

On

As far as I can tell from testing, this is an Axios thing. The Response Schema shows it will return the config used in the axios request. I see nothing about specifying which information is-/n’t returned.

I have demo repository coelmay/axios-vs-fetch which is deployed on wonderful-pasteur-6d7e40 to test/demonstrate the difference between axios and fetch. I have mimicked your code (to a point) with the data sent in the body. The function receiver simply returns a status code of 200, and a body that says Received!

Axios

Fetch

While I am using the browser versions of both Axios and Fetch, I believe from experience (of fetch, not of axios) the same would apply if using node-fetch.

1 Like