Discussion on protecting project ID and dataset in Nuxt project with Sanity

9 replies
Last updated: Mar 22, 2022
Hello everyone,Today I'm going to publish my first Nuxt project paired with Sanity!
:sanity:🎉But I wonder if anyone knows how I can "protect" my project_id and dataset with .env-variables

I've googled but I didn't find something useful, really
Mar 22, 2022, 3:15 PM
Alright, I just want to make sure that no one can see the project Id, so they can't start publishing content if they add it to their own project that runs on localhost:3000, since that allowed in my CORS-origin.
I might answer my own question, but if I deploy my studio to
mydomain.com/studio and remove localhost:3000 from the CORS, I should be good, right?
Mar 22, 2022, 3:25 PM
No one can mutate any of your content without either write access or a valid write token. Yes, you could remove localhost:3000 from your CORS origins and things would still work from your deployed domain.
Mar 22, 2022, 3:27 PM
Hey Andreas, Andreas here.If I knew your project ID and dataset (and the correct URLs) i could read data from your studio, but not write to it. For that I’d need to be authenticated with a token.

When you use sanity studio you don’t need to write that token because it is magically generated when you login. So without knowing your sanity login I couldn’t do anything to your data even if I had the source code for you project, and I knew your project ID and your dataset

So I would recommend keeping localhost:3000 as CORS, it makes life easier to be able to run studio localhost
🙂
Mar 22, 2022, 3:28 PM
Ahh, makes sense!Thanks a lot
user A
&
user F
😄
Mar 22, 2022, 3:30 PM
Thanks Andreas. Another option (though it’s security through obscurity and is not a guarantee) is to run the Studio locally on a non-standard port.
sanity start --port=12345
with
<http://localhost:12345>
in your CORS origins.
Mar 22, 2022, 3:31 PM
Yeah, that's true.I found this when I searched for deploying the studio

https://www.sanity.io/docs/studio-environment-variables But I forgot about the fact that Andreas wrote, that I the user needs to be authenticated with my Sanity account
Mar 22, 2022, 3:34 PM
So I doubt it would be a problem 👍
Mar 22, 2022, 3:35 PM
There’s also the
-H
flag on yarn and npm. You could potentially use that to start your local studio on a local IP address. Again, it’s security by obscurity, but at this point someone is going to a lot of effort just to read data you’ve declared as public.
Let us know how things go.
🙂
Mar 22, 2022, 3:35 PM
Excuse me if this is the wrong place to ask, but I've read through the document to self deploy a studio, but I'm confused,
https://www.sanity.io/docs/deployment
Since I'm using Nuxt, I have a
pages
folder where all the routes can be found.So my first guess was to add the deployed sanity studio to the
pages/studio
folder, but it gives me a 404.
Do you know how this can be solved?
Mar 22, 2022, 4:11 PM

Sanity– build remarkable experiences at scale

The Sanity Composable Content Cloud is the headless CMS that treats content as data to power your digital business. Free to get started, and pay-as-you-go on all plans.

Was this answer helpful?

Categorized in