Is it possible to encode tRPC data somehow?
I've built this webapp with t3 app and its mostly great - however i saw that all trpc data thats being sent from the backend can be found in the networks section of the chrome dev tools.
Is there someway one can hide this - and at least make it a bit more tricky to get the data in raw form?
There is no private data being sent - but access to the data in raw form is one of the largest moats of my product. Its taken a lot of time to assemble the data, and would be a shame if someone could just fetch it all using my site.
19 Replies
not sure what you're looking for here. encryption? is this a problem youve solved successfully in the past with a different backend?
generally id suggest to rate limit / protect endpoints to prevent someone from just downloading all your stuff
encrypting data isnt really helpful because it can still be scraped
but depends a lot on the specific problem
Nope. If you need data on the client, it has to be unencrypted. If you have secret data, only put it on your server and never send it to clients/trpc.
Or you can use a key to encrypt the data that you send to the client, and then from the client request the key to decrypt the data
The client will have the key and the unencrypted data, that's totally insecure
My endpoints are protected - but not ratelimited. How would one go about to solve that @cje ?
api rate limiting is a more general problem, just go read up on it
that being said theres this https://github.com/OrJDev/trpc-limiter
GitHub
GitHub - OrJDev/trpc-limiter: Open Source Rate Limiter Middleware F...
Open Source Rate Limiter Middleware For tRPC. Supporting Upstash, Memory Store And Much More - GitHub - OrJDev/trpc-limiter: Open Source Rate Limiter Middleware For tRPC. Supporting Upstash, Memory...
i havent personally tried it though
made by @OrJDev
Just feels like its a bit to simple to get the data - all someone would need to do is double click this trpc request, and then get the raw data
just scrambling it somehow would be cools
cool*
if this is like a quiz
dont put the correct answers clientside probably
Are you just rendering this data on the client?
yep
Server render it
by using GetStaticProps?
makes sense i guess but considering what the app is its fine if they want to cheat 🙂
How would i do this? Would it be by using getStaticProps, including the trpc function therein and then passing the data from trpc as a prop to the "main" function?
You shouldn’t need tRPC for this
okay, why/why not? How would you do this?
Looking through this it looks like you don't want people getting the answer from your api endpoint? If that's the case can't you just send all the questions clientside and validate answers serverside?
I don't think scrambling the data will do much, mostly you want to just not send sensitive data through
Again, server render it