font-picker-react icon indicating copy to clipboard operation
font-picker-react copied to clipboard

Published 20 hours ago verified publisher icon samuelmeuli

Token security

Open j1m-renwick opened this issue 4 years ago • 0 comments

I'm by no means an expert on google api tokens, but it doesn't seem great that they're exposed to the client as a matter of course. I think there's a couple of things that could be done to reduce the risk that exposing the token poses:

  1. Add more detailed README text specifying that the Google token generated should be restricted to the Google Fonts API being called from their specific website (I realise that advising people on how to configure API tokens isn't really your problem, but I do think it would help people to use your component properly)

  2. Consider an alternative to specifying the API token in the code directly - maybe it could be a function that retrieves the data some other way (e.g. calling to a backend server that holds the api token and proxies the request)?

j1m-renwick avatar Jun 23 '20 12:06 j1m-renwick