JavaScript Encryption

8

On my site I use the Facebook API, via ACCESS_TOKEN . This 'key' of access to everything that the corresponding application can provide, that is, it is not feasible to leave it public. In view of this, I would like to know the best way to 'hide' this key. Here is part of the code for the question:

var endereco = "https://graph.facebook.com/"+ page_id +"/posts?access_token="+ token +"&limit=15";

      $.getJSON(endereco, function(data) {
          //função
      });
    
asked by anonymous 09.03.2014 / 18:36

2 answers

5

Access credentials (passwords, keys, tokens) should never be stored in the source code (hardcoded) but rather be part of a configuration file (i.e. data). I do not know Jekyll, but a quick look at the documentation suggests the _config.yaml file (you who are more familiar should know the location most appropriate). The reason is simple: even if you can give full security to your sources, in the case of a breach (break / break / leak) you would have to modify the program to fix it - instead of tinkering with a single file. p>

As for keeping this access token confidential, I have some comments:

  • If you're using https , it should be well man-in-the-middle. Even in the query string. In general it is not good to use sensitive data in the query string (as they may end up in the server logs), but if it is unavoidable at least it is protected by https .
  • If the access token is single per user (ie each user can only misuse his or her own token) then no problem, but if a single token can affect multiple users you should not reveal it to them. After all, a single malicious user can compromise the security of everyone else.
    • The alternative would be to have a server-side script that would do the middle field between the client and Facebook. The token in this case would not leave the server.
  • All this assumes that you trust the hosting provider where your code is. If you do not trust him, there is little you can do about it.
09.03.2014 / 20:06
3

It really is complicated ... Because everyone can have access to your Javascript file so even if you "encrypt" you will have to take the encryption through some function or something to provide Facebook. In that case the person could go in the source code of the function and make the reverse mode to take the encryption.

In short, you will do a job that will not succeed.

An output and make a webservice where you access through your JS and from there you choose what can be accessed.

    
09.03.2014 / 18:41