Why Global Fetch Defaults Can Leak API Tokens
The Problem
You set up an API client once, with sane defaults:
- a base URL,
- an auth header,
- a timeout.
Every part of your app uses it.
Then your app grows. Now you’re calling three different services.
- One needs a different auth scheme.
- Second one has its own timeout requirements.
- Third one should never, under any circumstance, accidentally pick up the Authorization header meant for a different host.
With most fetch wrappers, “default” means “global”. Set it once, and it quietly applies everywhere, including places you didn’t intend.
This is a documented, known footgun in popular libraries. Axios’s own docs warn about it directly:
Axios warning: f your app talks to more than one domain, a global default Authorization header gets sent to all of them, including third-party APIs you do not control.
Their recommended fix is discipline. You must always remember to scope a custom instance for any client...
Copyright of this story solely belongs to hackernoon.com. To see the full text click HERE