Security: Move OpenAI API calls to server-side and implement protection measures

[Copilot]

OpenAI API keys were exposed to client-side code via NEXT_PUBLIC_ environment variables, making them visible in browser bundles and network requests. Anyone could extract and abuse the keys.

Changes

Server-side API endpoint (src/app/api/company/route.ts)

• All OpenAI calls now proxied through Next.js API route
• Rate limiting: 10 req/min per IP (in-memory, recommend Redis for production)
• Input validation: 3-500 characters, sanitized before OpenAI
• Prompt injection protection: role-based message structure separates system prompts from user input
• Error handling returns generic messages to client, logs details server-side

Client component (src/components/AIForm.tsx)

// Before: Direct OpenAI call with exposed keys
const name = await getCompanyName(description);

// After: Server-side proxy
const response = await fetch('/api/company', {
  method: 'POST',
  body: JSON.stringify({ description })
});

Environment variables

• Removed NEXT_PUBLIC_ prefix from OPENAI_API_KEY and OPENAI_ORG_ID
• Updated GitHub Actions workflow to match
• Keys now server-only, never sent to browser

Cleanup

• Deleted src/api/openaiCommunicator.tsx (insecure client-side implementation)
• Fixed .gitignore to allow .env.example

Deployment

Repository secrets must be renamed:

• NEXT_PUBLIC_OPENAI_API_KEY → OPENAI_API_KEY
• NEXT_PUBLIC_OPENAI_ORG_ID → OPENAI_ORG_ID

See MIGRATION_GUIDE.md for complete instructions.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• fonts.googleapis.com
  • Triggering command: /usr/local/bin/node node /home/REDACTED/work/AICompanyGenerator/AICompanyGenerator/src/node_modules/.bin/next build (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

Go through this implementation and find all the security issues within it. I am especially concerned how api keys etc can be leaked

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.