In serverless mode
Mean the front request directly squidex for get contents.
How secure the client access. The client id and secret is embed in front application, how to protect them ?
Can we specify a referer for limit the problem ?
How would a referrer solve your problem? It is only a http header, everybody can fake it.
I would use fine grained permissions to create a client with the minimum needed privileges.
Thank you for your answer
Yes, you right, it’s relatively easy to forge a fake referer. But forge once or use a proxy that update referer are not easy for all, use without referer protection is easiest and accessible for all…
When you use googlemap api, referer is used, maybe it’s a good start.
But Google Maps is a javascript SDK, it makes no sense to attack from an API.