How to keep API private keys when using client side Javascript?

Question

How to keep API private keys when using client side Javascript?

For example, check out this Facebook plugin.

On the client side, the API key is clearly visible. What prevents another user from getting this key and using this function on another site?

I decided that a very naive implementation would check the domain from which the request comes from, but such things are easy to fake.

If I were to create something like this, how could I provide an authentication process?

I want most of this work to be on the client side, although some form of server authentication is required? Any links or tips would be greatly appreciated.

Update

Similar question API keys, which I found useful.

+45

javascript authentication client-side

Finglas Oct 21 '11 at 8:55

source share

2 answers

I didn’t do this myself, but I know that the type of attack you are worried about is called Cross-Site Request Forgery (CSRF). The Wikipedia article gives some tips on how to prevent it.

+2

GregL Oct 21 '11 at 9:02

source share

Piskvor · Accepted Answer · 2011-10-21 08:59

In three words: server-side validation. FB itself throws an error if you use the wrong key for this site. The API key must not be secret (unlike the secret key).

How to keep API private keys when using client side Javascript?

More articles: