Security risks not in README

jonrhall / openai-streaming-hooks

React Hooks for streaming connections to OpenAI APIs

MIT License

83 stars 18 forks source link

Security risks not in README #5

Open brentbaum opened 1 year ago

brentbaum commented 1 year ago

This is begging to encourage beginners to publish their OpenAI secret keys in clientside javascript, leaking them. It feels responsible to add a banner in the README to note the security risk & recommend they use a proxy when pushing the application into production.

johannbuscail commented 1 year ago

I'm new to this. What do you mean with using a proxy ?

dcsaszar commented 1 year ago

@johannbuscail

Taken from https://platform.openai.com/docs/api-reference/authentication:

Remember that your API key is a secret! Do not share it with others or expose it in any client-side code (browsers, apps). Production requests must be routed through your own backend server where your API key can be securely loaded from an environment variable or key management service.