1

I'm just a newbie and I know next to nothing about web security. After reading a post by Exadra37(below) about using a proxy server to handle OpenAI API calls, I decided to try it out.

"For example, when your mobile app needs to make a request to openapi.io/some/resource instead it makes it to your-reverse-proxy.com/some/resource that will then grab the /some/resource part and build the request to OpenAPI openapi.io/some/resource, adding the API token header to it, that now it's securely stored in your Reverse Proxy server" How to use an API from my mobile app without someone stealing the token

So now, I use a reverse proxy server that retrieves my secret API key from a location outside the root, makes the API call on the client's behalf, and finally sends back the response.

Everything seems to be working well, but I'm wondering if there are any potential issues with using this method, such as security vulnerabilities, performance problems, server downtime, or too many calls to the reverse proxy PHP file at my-reverse-proxy.com/some/proxy.php.

Can you provide any insights or recommendations about this setup? Thanks

StanRock
  • 11
  • 1
  • 3
  • Well the user may never get the API key. I think there is nothing more to say. Of course when you have hundreds of requests per seconds you may consume a lot of traffic on your webspace or server. Many hosters limit the network speed when traffic gets too heavy. – zomega Mar 05 '23 at 16:39
  • Also you should choose a hoster which updates his software constantly. Or else hackers may get in easily and steal your API key. Take a look at this post https://serverfault.com/questions/1123011/can-a-linux-web-server-which-hasnt-been-restarted-for-years-be-secure – zomega Mar 05 '23 at 16:41

0 Answers0