Reputation:
Where should I store a client secret in a javascript application
Where should I store a client secret in a JavaScript application to prevent other users from getting access to it? My particular use case is an AngularJS SPA.
The client secret is a guid which is generated at login and passed back to the client, expires after 15 minutes of inactivity.
Considering the nature of my secret key, should I even care?
Upvotes: 2
Views: 2053
Answers (1)
Reputation: 5682
2 things:
One: You can't. It's on their side, anyone with access (to the computer while that user is logged in) and knowledge will be able to see it. As well as anyone that intercepts the transmission from client to server (if your not using https).
Two: It's not necessary if you are implementing it correctly.
- Meaning will it ever be valid again, after it expires, or is it a one off*?
- Is it authenticated against the other half on your server?
*By one off, I mean a GUID is supposed to be globally unique. Are you using the same GUID each time for each user or are you scrapping it and the next time assigning them a new one? If the first you have an issue.
If your doing all those things then you really don't need to worry about it.
Upvotes: 1
Related Questions
- Where to store JWT token in angular?
- How to handle client secret in angular code in a public site
- For Angular applications where should I store the JWT Tokens those are generated from Auth Server?
- Angular - Where to store permanent user information except on local storage
- Where to store client data in angular which is later used in REST-API for getting information
- Where to store the user credentials in an Angular application?
- Where to store config variable in angular 2.0 like client credentials for API
- How to securely store hard-coded API credentials in Javascript
- where to store the secret keys and app ids in front end angularjs app
- How not to expose App secret and key on a pure HTML5 client application