I work as a frontend developer using React (not using Next.js) and I’m facing some confusion about security requirements. My DevOps team keeps telling me to hide API endpoints and authentication tokens from being visible in the browser.
They specifically don’t want users to see these things when they open browser dev tools like the Network tab or Sources panel. But from my understanding, everything that runs in the browser can be inspected by users since it’s client-side code.
The current workflow is:
CLIENT REQUEST → SERVER RESPONDS WITH {information, token_id}
What they’re asking for:
Hide or encrypt the token_id in network requests
Prevent API endpoints from appearing in the Sources tab
Previously they also wanted me to hide secret keys from requests
I’ve read discussions online where many developers say you can’t truly hide this information in frontend applications. Am I missing something here? Is there actually a method to secure these details in browser-based apps?
Hmm, interesting - what APIs are you calling that worry them so much? Third-party services with expensive rate limits, or something more sensitive? Understanding their specific concerns might help you find a compromise that actually works.
You’re absolutely right. Your DevOps team doesn’t understand how client-side apps work. Anything sent to the browser is accessible to users through dev tools - obfuscation won’t help. You need architectural changes. Don’t call API endpoints directly from React. Set up a backend proxy that handles external API calls and keeps sensitive endpoints and keys on the server. For auth, use secure HTTP-only cookies instead of storing tokens in localStorage. I’ve dealt with security teams that had unrealistic expectations about what frontend can do. Stop trying to “hide” client-side data and restructure your app flow instead. Propose a backend-for-frontend pattern where React only talks to your own API, which then handles external service integrations securely.
your devops team’s asking for the impossible. anything in the browser can be inspected - that’s just how the web works. try suggesting environment variables for endpoints and proper cors policies instead. also look into token refresh patterns so tokens expire fast.