Security issue with token?

[Pixelatex]

Hello there,

Isn't it a risk to expose the token like this? Considering that this is likely to be used on a public-facing page somewhere means that random people could find your token.

I understand you trying to make a working one-stop component but you could address this risk in the readme. Fetching the feed on the backend and only using this component as a frontend component to show the feed result is a much safer method.

[MohammedRaji]

Thank you for your suggestion For more security you can use .env variables

[luke-underwood]

Hi! Using .env variables would not solve the issue as the token would still be leaked client-side

[Flaaj]

Hi! Using .env variables would not solve the issue as the token would still be leaked client-side

The token can be leaked, in fb developers account you can specify app domains and if somebody wants to use your token outside of your domain he will get cors error

[thomcrielaard]

I think using .env variables indeed does not solve the token. You can use server-sided .env variables; but then the token will be marked as "undefined", since the call is done client sided. On the other hand, using client-sided .env variables makes no difference, since they are client sided (or am I missing something?)