Some secret management belongs in your HTTP proxy

https://blog.exe.dev/http-proxy-secrets

Article

TL;DR: Inject API keys at the proxy layer so secrets never enter your app process at all.

Key Takeaways

  • Proxy intercepts outbound requests and injects auth headers — keys stay out of app memory
  • Centralizes secret rotation and enables dummy-server swaps in tests via URL rewriting
  • TLS MITM to inject headers is itself a new attack surface; cert handling must be airtight

Discussion

  • [danlitt]: URL rewriting also enables hitting dummy servers in tests — useful bonus
  • [thewisenerd]: MITM TLS proxy also enables tighter egress firewalling than nslookup-based rules
  • [rtrgrd]: Standing up MITM certs just to add a header introduces its own security risk

    setting up certs to MITM https requests to add a header seems like a decently big security risk

  • Community split: elegant secret isolation vs. MITM cert setup creating a new attack surface.

Discuss on HN

Type Link
Added Apr 22, 2026
Modified Apr 22, 2026
🔥 Top Stories 508 items