I have a pure client-side application (statically served assets with no backend) that is making requests to IPFS through Infura. Currently, this requires me to expose the secret key to the client, in order to make the requests from the user’s browser.
Infura’s documentation suggests that the Allowlist feature is sufficient to prevent malicious users from abusing the key: “If you are sending API requests from a web browser or other client-side application which does not have the ability to secure your Project Secret, allowlisting can be used to prevent a third party from using your Project ID on another website” (refer to Secure a project - Infura Docs). However, it is possible for an attacker to spoof the Origin request header: https://stackoverflow.com/a/21058346.
I looked into using a JSON Web Token (JWT), but it seems like this is not supported for IPFS projects yet. Can you please advise me on what similar use-cases are doing? The best I can think of is to set up my own REST API and server-side application from which to make the requests to Infura, but I would very much like to avoid this overhead if possible. Thank you in advance.