API Proxy as Browser Security Boundary
API Proxy as Browser Security Boundary
Any secret that must not reach the browser belongs in a server-side proxy. The client sends a call config (method, path, params, body) without credentials; the proxy looks up the secret server-side, injects it as a header, and forwards the request to the third-party API. The response is streamed back. The browser never sees the key — not in network requests, not in JS memory, not in DevTools.
The proxy is the trust boundary. Everything on the browser side of it is public by definition — a motivated user with DevTools can read anything the browser touches. Everything on the server side is private by construction.
A secondary benefit: the proxy provides a single place to enforce policy. Rate limiting, request logging, auth scheme changes (switching from X-API-Key to Bearer), and CORS management all happen in one layer rather than being scattered across component configs.
Source: data-app-factory — #003 Backend: Proxy route See also: Declarative Data Apps