I’m working as a frontend developer using React and my DevOps team keeps insisting that I should completely hide API endpoints and authentication tokens from the client side. They specifically don’t want users to see these URLs or credentials when they inspect the browser tools like Network panel or Sources section.
Based on my understanding, everything that runs in the browser is essentially public and can be examined by users. This includes all network calls and any tokens being used in requests.
I’ve done some research and most developers on various programming forums seem to agree that truly hiding API credentials in frontend applications isn’t feasible. Am I missing something here? Is there actually a method to secure this information in browser-based apps?
UPDATE: Let me clarify the workflow
CLIENT REQUEST → SERVER RESPONDS WITH data:{information, session_token}
DevOps requirements:
- HIDE/OBFUSCATE SESSION_TOKEN FROM NETWORK PANEL
- CONCEAL API ENDPOINTS FROM SOURCES PANEL
- PREVIOUSLY ASKED TO HIDE AUTHENTICATION KEYS FROM REQUESTS
UPDATE 2:
Appreciate all the feedback. Planning to discuss this with DevOps next week. Key points from responses:
- Explaining that I’m using React without server-side rendering capabilities
- Clarifying that hiding API URLs and keys in browser tools isn’t actually possible. Code obfuscation exists but provides no real security
- Suggesting removal of sensitive keys for public endpoints
- Noting that session cookie security (HttpOnly, Secure flags) is backend responsibility
- Proposing they create a proxy server if they want to mask actual API endpoints
To clarify: I’m an intern with a predetermined tech stack (React), so switching frameworks isn’t an option. Also, regarding environment variables - the issue is hiding API URLs from the Sources tab entirely.
Classic security theater from your DevOps team. I’ve seen this before - backend folks just don’t get how client-side apps work. Anything that runs in the browser is exposed to users. Period. There’s no magic fix for this.
You need to educate them on proper security architecture. Session tokens shouldn’t be floating around in JavaScript where everyone can see them - use HttpOnly cookies instead. If they’re really worried about API endpoints being exposed, they need a backend proxy or gateway to sit in between.
Sure, code obfuscation makes things harder to read, but any determined user can still pull out what they want. Stop trying to hide stuff that can’t be hidden. Focus on proper auth flows and secure token management on the server side instead.
your devops team is kinda being unrealistic. even if you obfuscate, people can still see API calls in the network tab. maybe share some info on client-side security limitations to help them understand? it’s a common issue we all deal with.
Been there with security teams who don’t get frontend limitations. Your DevOps team is trying to apply server-side security to client-side code - that’s not how it works. I set up a quick demo showing how even heavily obfuscated production apps get reverse-engineered in minutes using browser dev tools. That reality check usually shifts the conversation toward actual solutions. Push back hard on storing session tokens in localStorage or JavaScript variables. If they want to hide network calls, they need to give you a BFF (Backend for Frontend) or API gateway instead of direct API endpoints. This fixes their URL visibility concerns since you’d only hit one proxy endpoint. The authentication keys thing is really concerning - those shouldn’t touch the frontend at all. Sounds like there are fundamental architecture problems here beyond just hiding things from browser tools.