How can I hide the secret API key when sending AJAX requests?
I am about to start working on a project that is basically a web interface for a mobile banking application. The API is ready, I only need to provide the front end of the web application. I was about to do this with Backbone / Angular / Ember but started to worry about security.
In particular, the following. Typically, each API request must contain a parameter method_code
that is calculated as the user's hash token, the method name, and the API secret key. If I put logic on how this parameter is calculated in one of the .js files, anyone can potentially access sensitive data using tools like Postman or even the browser console. How can I solve this problem? I could have a server-side script generating method_code
for me, but can it be made available only for my web application requests?
source to share
each API request must contain the method_code parameter, which is calculated as a hash of the custom token, the method name and the API secret key
I could have a server-side script generating the method_code for me, but is it possible to make it only available for my web application requests?
Yes, a server side script would be the way to go if you don't want to expose the API secret key in your client code, or request data.
The custom token can (presumably) come from the user's session cookie value? So just use a server side method that takes method name
and then returns method_code
, computed from secret API key
(server side only) and user token
.
The same origin policy will prevent another domain from accessing your API and returning method_code
. I'm also assuming the API and front-end code are running on the same domain here, although if they aren't, you can use CORS to have your front-end code read and return client-side data via the API.
source to share