Skip to content

Security: Daniyal-Rashid-00/Email-Generator

Security

SECURITY.md

Security Guide: API Key Protection

Important Reality Check

⚠️ For client-side applications, API keys CANNOT be completely hidden.

When you build a React/Vite app, the API key gets bundled into the JavaScript files that are sent to the browser. Anyone can:

  • View the page source
  • Open browser DevTools → Network tab
  • See the API key in the JavaScript bundle

This is unavoidable for front-end-only apps.

What You CAN Do

1. ✅ Use API Key Restrictions (MOST IMPORTANT)

This is your real security layer:

  1. Go to Google Cloud Console
  2. Edit your API key
  3. Set Application restrictionsHTTP referrers
  4. Add only your domain: 
    https://daniyal-rashid-00.github.io/*
https://your-custom-domain.com/*
  5. Set API restrictions → Only enable "Generative Language API"

Result: Even if someone steals your API key, it won't work from other domains.

2. ✅ Keep API Key Out of Source Code

  • ✅ Use GitHub Secrets (you're already doing this)
  • ✅ Use environment variables
  • ❌ Never hardcode the key in your code

3. ✅ Monitor Usage

  • Set up billing alerts in Google Cloud Console
  • Monitor API usage regularly
  • Set up rate limiting if possible

4. ✅ Use Private Repository (Optional)

GitHub Pages: Requires GitHub Pro ($4/month) for private repos

Better Free Alternatives:

  • Vercel: Free tier supports private repos ✅
  • Netlify: Free tier supports private repos ✅
  • Cloudflare Pages: Free tier supports private repos ✅

Making Your Repo Private

Option A: Switch to Vercel (Recommended - Free)

  1. Push your code to GitHub (can be private)
  2. Go to vercel.com
  3. Import your private repository
  4. Add environment variable: VITE_GEMINI_API_KEY
  5. Deploy!

Benefits:

  • ✅ Free
  • ✅ Supports private repos
  • ✅ Automatic deployments
  • ✅ Custom domains
  • ✅ Better performance (CDN)

Option B: Upgrade to GitHub Pro

  • Cost: $4/month
  • Allows private repos with GitHub Pages
  • Other GitHub features included

Option C: Keep Repo Public (Current Setup)

This is actually fine because:

  • ✅ Your API key is in GitHub Secrets (not in source code)
  • ✅ API key restrictions protect you
  • ✅ The key would be visible in the deployed bundle anyway (even with private repo)

Recommended Approach

  1. Keep using GitHub Secrets (you're already doing this ✅)
  2. Set up API key restrictions in Google Cloud Console (most important!)
  3. Monitor your API usage regularly
  4. Consider switching to Vercel if you want private repo + free hosting

Bottom Line

Making the repo private won't hide your API key from the deployed site - it will still be visible in the browser. The real security comes from:

  1. API key restrictions (domain whitelist)
  2. API usage monitoring
  3. Not hardcoding keys in source code (use secrets/env vars)

Your current setup with GitHub Secrets is already good! Just make sure API key restrictions are configured properly.

There aren’t any published security advisories