Securing keys in frontend only dApps

Hey everyone,

We’ve noticed a trendy use case of building NFT minting dApps that run on the client side only, no backend services. Understandably this comes with a great simplicity, allowing users to send transactions using their wallets and why not avoiding usually the request per second limits since the requests to Infura will be coming from multiple different IP user’s addresses.

However, this simplicity comes with a great cost and that is exposing the keys to anyone who would try to inspect your code or API requests. While if you use Metamask for transaction signing you’ll avoid exposing private keys and API key to Infura’s Ethereum (or other supported chains) endpoint, you’ll probably want to upload content to IPFS and you risk exposing those connection keys (Infura IPFS projectID & ProjectSecret). Allowlists can be used to restrict what browsers (IP, user-agent, origin) can access the Infura IPFS but that doesn’t stop someone taking the key and using it in non-frontend code (curl, scripts, etc).

It is a real challenge to protect these keys if you don’t want to run a backend service but not impossible. Check out this great research done by our community friend @Gray_Newfield about using the AWS Lambda and KOR Connect framework:

Cheers !