Why Global Fetch Defaults Can Leak API Tokens

https://hackernoon.imgix.net/images/Q5RUXLV7a7ZABy6Yejv6x9XcLze2-f4825qp.png

The Problem

You set up an API client once, with sane defaults:

  • a base URL,
  • an auth header,
  • a timeout.

Every part of your app uses it.

Then your app grows. Now you’re calling three different services.

  • One needs a different auth scheme.
  • Second one has its own timeout requirements.
  • Third one should never, under any circumstance, accidentally pick up the Authorization header meant for a different host.

With most fetch wrappers, “default” means “global”. Set it once, and it quietly applies everywhere, including places you didn’t intend.

This is a documented, known footgun in popular libraries. Axios’s own docs warn about it directly:

Axios warning: f your app talks to more than one domain, a global default Authorization header gets sent to all of them, including third-party APIs you do not control.

Their recommended fix is discipline. You must always remember to scope a custom instance for any client...

Copyright of this story solely belongs to hackernoon.com. To see the full text click HERE

Read more