What if we is just have static html page with js?
Like some demo website using example.github.io / some static demo project page.
I want to use the key in client-side code. I think when open ai provide menu for allowing certain domain for each the secret key it will very helpful and solve the security issue.
A “certain domain” is not an option. The API responds back to the IP address making the request, not a domain.
A reverse lookup or an IP block search or rules and where would OpenAI see the request coming from? Cloudflare firewall…
If it could see the other side of “github”, it’s going to get a random cdn load balancer IP like cdn-185-199-111-153.github.com. Another site and it might get a shared host name.
Then I just put my own project on github to abuse your extracted key anyway.
Or read my desktop copy of “IP Spoofing for Dummies” and have fun on your dime.
Do not put your API key in client code. You are not as clever as a determined attacker. Treat it like your bank password.