发表新帖
发表新帖

How to keep API keys secret when using client side Javascript?

前端 未结
关注
2 2103
你的背包
你的背包 2020-12-13 05:46

For example, check out this Facebook plugin.

In the client side the API key is clearly visible. What is stopping another user from obtaining this key and using this

相关标签:
2条回答
  • 迷失自我
    2020-12-13 06:24

    In three words: server-side validation. FB itself will throw an error when you use a key that's incorrect for the given site. The API key is not supposed to be secret (as opposed to the secret key).

    0 讨论(0)
  • 孤独总比滥情好
    2020-12-13 06:29

    I haven't done this myself, but I know that the kind of attack you are worried about is called Cross-site Request Forgery (CSRF). The Wikipedia article on that gives some hints on how to prevent it.

    0 讨论(0)
 看不清?
提交回复
热议问题