Hello,
We're getting a report from HackerOne that our permanent Prismic API token is included in our app.js file.
On our side, we use environment variables to store this value safely, but the gatsby-source-prismic plugin seems to include it anyway.
Is it safe to display this value publicly? According to this thread, then it seems the answer is no.
Which other token should we use instead, or is there a way to tell gatsby-source-prismic not to display this value publicly?
Thank you,
Nicolas
Hey Nicolas, thanks for reaching out!
This is still an open discussion about the community built plugin; there's a Github thread that details a similar case and the workarounds that Angelo, the plugin creator, recommends. Please refer to this link to read the full conversation.
Thanks
Hey @nicolas.spehler !
I would like to add that the upcoming version 4 of the gatsby-soure-prismic plugin will introduce some changes in that area.
Here you have the general Github discussion.
Here you have a more detailed outlook, that also describes the changes regarding the exposed token.