Reputation: 31
HTML request obfuscation in the event of external APIs with passkeys
So assume I'm using some external API, where I'm required to send it an ID and passkey such as http://whatever.com/api?id=asdfg&key=_hjkl&request=whatever
I'm going to need to have that ID/key stored somewhere and I could get away with not exposing it to the user by putting it in a database or something, but whenever the request is actually shot off is there no way to hide it?
Upvotes: 0
Views: 101
Answers (2)
Reputation: 864
If the api provides a POST method, you can use that, without having to show the parameters.
Using POST method to hide URL parameters
Upvotes: 0
Reputation: 943568
No, there isn't.
If you want the client to authenticate against a service, then the client has to have the authentication credentials. Anything you give to the client, you also give to the user of the client.
If you want to add some kind of protection, then proxy it though your own server or use a time limited token - but keep in mind that anybody can still hit the appropriate end points to get access.
If you are giving data to the client, then you are running a public API and it is best to think of it in those terms.
Upvotes: 1
Related Questions
- Prevent key leak in HTTP GET requests
- Securing/Obfuscating JavaScript API requests
- JS / jQUERY - To make variable which contains API key invisible in the JS code
- Concealing JS/logic from user in HTML page
- Javascript how to hide Consumer Key and Sercret in WebApp?
- Protect Web API from unauthorized applications
- How to ensure only your javascript can connect to your webserver
- javascript hide code for secret keys etc
- Encode/obfuscate HTTP parameters
- Ideas on Protecting Web App data sources