I have a use case where multiple users will be making use of a tool and so self-hosting and changing the NOTION_TOKEN as recommended wouldn't be a viable solution.
I've been adding the Authorization: Bearer <NOTION_TOKEN> header to my requests to private pages, but have noticed that because those pages are cached for a few seconds I if I then request the same URL without the authorisation header I can load private page data (tested from a separate device, so it's not just browser caching).
Either private pages shouldn't be cached, or their authorisations should be cached with them to prevent this.
I have a use case where multiple users will be making use of a tool and so self-hosting and changing the
NOTION_TOKENas recommended wouldn't be a viable solution.I've been adding the
Authorization: Bearer <NOTION_TOKEN>header to my requests to private pages, but have noticed that because those pages are cached for a few seconds I if I then request the same URL without the authorisation header I can load private page data (tested from a separate device, so it's not just browser caching).Either private pages shouldn't be cached, or their authorisations should be cached with them to prevent this.