Skip to main content

Principles

  • Do not expose backend endpoints in frontend code
  • Use SSR/edge routes to forward authenticated calls
  • Keep secrets in server-only env vars

Server-Side Proxy Example

// pages/api/tokens/balance.ts
import type { NextApiRequest, NextApiResponse } from "next";

export default async function handler(
  req: NextApiRequest,
  res: NextApiResponse
) {
  const auth = req.headers.authorization;
  const r = await fetch(process.env.BACKEND_URL + "/balance", {
    headers: { authorization: auth || "" }
  });
  res.status(r.status).send(await r.text());
}

WebSocket Proxy Notes

  • Terminate WS at the server and relay authorized events to clients
  • Avoid direct browser → backend WS when auth/secrets are involved