I am new to JavaScript.
The help I wanted was to understand how to protect API Key used to access my Restful web services.
I am accessing some Restful web services using API keys and I want those API keys to be protected. As when I put API keys in Controllers they will be visible to users since Javascript code can be seen by the end user.
Is there anyway that I can register these as some variables and use in Controllers where end user who view the Javascript code cannot see API Key?
Thanks in advance!
I am new to JavaScript.
The help I wanted was to understand how to protect API Key used to access my Restful web services.
I am accessing some Restful web services using API keys and I want those API keys to be protected. As when I put API keys in Controllers they will be visible to users since Javascript code can be seen by the end user.
Is there anyway that I can register these as some variables and use in Controllers where end user who view the Javascript code cannot see API Key?
Thanks in advance!
Share Improve this question edited Jan 2, 2013 at 1:18 tglk asked Jan 2, 2013 at 0:15 tglktglk 891 silver badge7 bronze badges 2- 1 No, you can't. Even if you somehow obfuscate your JS, the keys will still be visible in the request itself. – raina77ow Commented Jan 2, 2013 at 0:18
- 2 Note that some APIs, such as Google's, allow you to set valid referrers for the API key. The key will only work if the request es from that referrer. It is not exactly key protection, but it does prevent a stolen key from being used on another web site. – monsur Commented Jan 2, 2013 at 2:20
3 Answers
Reset to default 5if you need to protect anything do it on the server. You can proxy api calls on the server for instance, but there's no way you can protect anything with client side javascript code.
You are absolutely confused.
You are trying to achieve security by obscurity. Everything that is on the client is transparently hackable.
The user should only be allowed to access a resource after a successful authentication and authorization. Period.
So you must store your API keys on the server if they are supposed to be secret (like provided by Facebook, ...)
(btw: remove the angularjs tag).
I am using AngularJS together with PlayFramework and seems like I can solve the issue as external web servcies/API's are accessed through Play controllers where controller methods are accessed by AngularJS model with
jsRouter.controllers.Application.tasks().ajax
So, the external API keys doesn't have to be in AngujarJS models.
Thanks all for help.