You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It seems to me that the Adding Authentication Headers section is very misleading in the way it suggests to implement authentication.
It encourages to pass the hasura admin secret as the x-hasura-admin-secret http header, but this should be kept for early developing stages only.
If ever such code gets deployed to production, then basically the hasura admin secret will be embedded in the (client-side) JS code, as well as each HTTP requests.
To me, this doc section should rather encourage providing only the JWT token, or add least add a very highlighted warning note about it.
The text was updated successfully, but these errors were encountered:
It seems to me that the Adding Authentication Headers section is very misleading in the way it suggests to implement authentication.
It encourages to pass the hasura admin secret as the
x-hasura-admin-secrethttp header, but this should be kept for early developing stages only.If ever such code gets deployed to production, then basically the hasura admin secret will be embedded in the (client-side) JS code, as well as each HTTP requests.
To me, this doc section should rather encourage providing only the JWT token, or add least add a very highlighted warning note about it.
The text was updated successfully, but these errors were encountered: