Get help on Discord

Discussion on protecting project ID and dataset in Nuxt project with Sanity

9 replies
Last updated: Mar 22, 2022
Hello everyone,Today I'm going to publish my first Nuxt project paired with Sanity!
:sanity:šŸŽ‰But I wonder if anyone knows how I can "protect" my project_id and dataset with .env-variables

I've googled but I didn't find something useful, really
AI Update

Congrats on your first Nuxt + Sanity project! šŸŽ‰

Great news: you don't actually need to protect your project_id and dataset with environment variables from a security perspective. Here's why:

Your project ID and dataset are meant to be public information. Even if someone knows them, they cannot write or modify your content without proper authentication. To mutate your content, they would need:

  1. A valid write token with the correct permissions
  2. Or authenticated access to your Sanity account

When you use Sanity Studio, authentication tokens are automatically generated when you log in. So even if someone had your project ID, dataset, and even your entire source code, they still couldn't do anything to your data without your Sanity login credentials.

That said, you can still use environment variables if you want to keep your configuration clean and flexible across different environments. In Nuxt, you'd configure it like this in your nuxt.config.ts:

export default defineNuxtConfig({
  modules: ["@nuxtjs/sanity"],
  sanity: {
    projectId: process.env.NUXT_PUBLIC_SANITY_PROJECT_ID,
    dataset: process.env.NUXT_PUBLIC_SANITY_DATASET,
  },
});

Then create a .env file:

NUXT_PUBLIC_SANITY_PROJECT_ID=your_project_id
NUXT_PUBLIC_SANITY_DATASET=your_dataset

About CORS origins: You can keep localhost:3000 in your CORS settings - it makes local development much easier. If you want extra obscurity (though it's not a real security measure), you could run your Studio on a non-standard port like sanity start --port=12345 and add that to your CORS origins instead.

The bottom line: Your content is already protected by Sanity's authentication system, regardless of whether your project ID is visible or not. Anyone can read your public data, but only authenticated users can write to it.

Check out the Nuxt quickstart guide for more details on configuration, and the Studio environment variables documentation if you want to dive deeper into environment configuration.

Alright, I just want to make sure that no one can see the project Id, so they can't start publishing content if they add it to their own project that runs on localhost:3000, since that allowed in my CORS-origin.
I might answer my own question, but if I deploy my studio to
mydomain.com/studio and remove localhost:3000 from the CORS, I should be good, right?
No one can mutate any of your content without either write access or a valid write token. Yes, you could remove localhost:3000 from your CORS origins and things would still work from your deployed domain.
Hey Andreas, Andreas here.If I knew your project ID and dataset (and the correct URLs) i could read data from your studio, but not write to it. For that Iā€™d need to be authenticated with a token.

When you use sanity studio you donā€™t need to write that token because it is magically generated when you login. So without knowing your sanity login I couldnā€™t do anything to your data even if I had the source code for you project, and I knew your project ID and your dataset

So I would recommend keeping localhost:3000 as CORS, it makes life easier to be able to run studio localhost
šŸ™‚
Ahh, makes sense!Thanks a lot
user A
&
user F
šŸ˜„
Thanks Andreas. Another option (though itā€™s security through obscurity and is not a guarantee) is to run the Studio locally on a non-standard port. 
sanity start --port=12345
with 
<http://localhost:12345>
in your CORS origins.
Yeah, that's true.I found this when I searched for deploying the studio

https://www.sanity.io/docs/studio-environment-variables But I forgot about the fact that Andreas wrote, that I the user needs to be authenticated with my Sanity account
So I doubt it would be a problem šŸ‘
Thereā€™s also the 
-H
flag on yarn and npm. You could potentially use that to start your local studio on a local IP address. Again, itā€™s security by obscurity, but at this point someone is going to a lot of effort just to read data youā€™ve declared as public.
Let us know how things go.
šŸ™‚
Excuse me if this is the wrong place to ask, but I've read through the document to self deploy a studio, but I'm confused,
https://www.sanity.io/docs/deployment
Since I'm using Nuxt, I have a 
pages
folder where all the routes can be found.So my first guess was to add the deployed sanity studio to the 
pages/studio
folder, but it gives me a 404.
Do you know how this can be solved?

Sanity ā€“ Build the way you think, not the way your CMS thinks

Sanity is the developer-first content operating system that gives you complete control. Schema-as-code, GROQ queries, and real-time APIs mean no more workarounds or waiting for deployments. Free to start, scale as you grow.

Get started for freeExplore the demo

Was this answer helpful?