A space to discuss online store customization, theme development, and Liquid templating.
I'm working with Shopify theme and using an access network outside Shopify for each environment.
const environment = '{{ settings.environment }}'; let apiEndpoint; if (environment === 'Development') { apiEndpoint = 'https://dev-api.example.com'; } else if (environment === 'Staging') { apiEndpoint = 'https://staging-api.example.com'; } else if (environment === 'Production') { apiEndpoint = 'https://api.example.com'; }
All endpoint API on my side is public API, but it just has one problem, all endpoint is saving in liquid file.
So anyone can check and see them.
Ex: A user is using the Product environment, but they can see the endpoint API of DEV, STG. They can access it and know the data test form there. Maybe it has a risk.
Is there a best way to fix this case?
Hi Nhtbao101,
Instead of making direct API calls from the client-side, you could consider setting up a server-side proxy:
This way, the actual API endpoint remains hidden from the client-side, and you can add additional security measures on your server, like rate limiting, logging, and more.
Also, even if someone knows your development or staging endpoints, they shouldn't be able to do much without the right authentication. Ensure that your APIs require secure tokens or headers to access. This way, even if someone knows the endpoint, they can't fetch data without the correct credentials.
Hope this helps!
Liam | Developer Advocate @ Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution
- To learn more visit Shopify.dev or the Shopify Web Design and Development Blog