Conversation
| SEARCH_APP_API_KEY=xxxxxxxxxxxxxxxxxxx | ||
| SEARCH_APP_ENDPOINT=https://some-search-end-point.co No newline at end of file | ||
| REACT_APP_SEARCH_APP_NAME=some-search-application | ||
| REACT_APP_SEARCH_APP_API_KEY=xxxxxxxxxxxxxxxxxxx |
There was a problem hiding this comment.
Correct me if I'm wrong, but this would make the API key available in the browser, which is a really bad idea security-wise, and not something we should promote or recommend.
There was a problem hiding this comment.
Yes you're correct, but actually the current app already does expose it. But this is the method documented in the Elasticsearch documentation.
This PR just fixes a bug that prevent developers to pass those parameters using an .env file. If not, those parameters can be set through the web app itself.
Maybe we should add a disclaimer in the README about the security risks and point to the Elasticsearch documentation for more details?
There was a problem hiding this comment.
Interesting that we recommend this method, as it is very risky and depends on people having an understanding of what they're doing when generating their keys, which isn't always the case.
Even with a scoped API key, there is risk of a bad actor using the key to generate unexpected expenses for the application owner, or render the search functionality unusable by making enough calls to hit the rate limits, so this is still a bad idea.
At the very least there should be a very big warning in the readme explaning the risk.
There was a problem hiding this comment.
I added a disclaimer in the Readme file, please let me know what you think.
2 participants
No description provided.