On my site I use the Facebook API, via ACCESS_TOKEN . This 'key' of access to everything that the corresponding application can provide, that is, it is not feasible to leave it public. In view of this, I would like to know the best way to 'hide' this key.
Here is part of the code for the question:
var endereco = "https://graph.facebook.com/"+ page_id +"/posts?access_token="+ token +"&limit=15";
$.getJSON(endereco, function(data) {
//função
});
Access credentials (passwords, keys, tokens) should never be stored in the source code (hardcoded) but rather be part of a configuration file (i.e. data). I do not know Jekyll, but a quick look at the documentation suggests the _config.yaml file (you who are more familiar should know the location most appropriate). The reason is simple: even if you can give full security to your sources, in the case of a breach (break / break / leak) you would have to modify the program to fix it - instead of tinkering with a single file. p>
As for keeping this access token confidential, I have some comments:
https , it should be well man-in-the-middle. Even in the query string. In general it is not good to use sensitive data in the query string (as they may end up in the server logs), but if it is unavoidable at least it is protected by https . It really is complicated ... Because everyone can have access to your Javascript file so even if you "encrypt" you will have to take the encryption through some function or something to provide Facebook. In that case the person could go in the source code of the function and make the reverse mode to take the encryption.
In short, you will do a job that will not succeed.
An output and make a webservice where you access through your JS and from there you choose what can be accessed.