April 21, 2026

Welcome to the Proxy Wars

Article URL →HN comments →

Some secret management belongs in your HTTP proxy

Hide your keys in a proxy — genius shortcut or risky middleman? Devs are split

TLDR: The pitch: hide app passwords behind a proxy that injects them into requests, with exe.dev offering a tool to do it. The comments split between fear of a “middleman” touching encrypted traffic, fans touting tighter control and easier testing, and skeptics asking how URL rewrites work in code — stakes are high because secrets leak often

Hide your app’s passwords behind a friendly bouncer — that’s the spicy pitch: move secrets into an HTTP proxy that adds the key for you, and stop letting “agents” panic when they see it. And yes, the vendor plug: exe.dev says its Integrations will do the header-injection heavy lifting.

Cue the Proxy Wars. The caution crew led by rtrgrd yells “MITM to add headers? That’s a security risk!” — translation: to slip in the key, the proxy has to sit in the middle of your HTTPS traffic, and that makes people sweaty. On the other side, thewisenerd shows receipts from Gondolin and argues it actually tightens control, with better gatekeeping and firewall rules (while admitting firewalls still leak).

Meanwhile, the pragmatists show up with popcorn and questions. danlitt loves that URL rewrite could hit fake servers in tests, but asks the real one: how does the rewrite happen if your code doesn’t hold the URL? The thread devolves into “simpler ops” vs “don’t break crypto” vs “please, just make tests easy.”

Meme of the day: “Stop letting agents hoard keys like dragon gold.” Mood check: split down the middle — fans call it clean and reversible, skeptics call it clever until it isn’t

Key Points

  • API keys are convenient but overly powerful and prone to exfiltration, creating security and operational risks.
  • OAuth can rotate credentials but is often complex and relies on human-in-the-loop steps, making it ill-suited for agents.
  • The article proposes using an HTTP proxy to inject authentication headers, keeping secrets out of clients and agents.
  • A Stripe API example shows replacing direct key usage with an internal URL while the proxy adds headers server-side.
  • exe.dev introduced “Integrations” to provide this header-injecting proxy capability as a managed cloud feature.

Hottest takes

setting up certs to MITM https requests to add a header seems like a decently big security risk? — rtrgrd
an 'mitm' tls proxy also gives you much better firewalling capabilities — thewisenerd
Rewriting the URL sounds like it would also allow hitting a dummy server in tests — danlitt

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.