Reputation: 5182
Hide basic auth credentials in Javascript client
I need to make from my client side javascript code an ajax request posting some data to the backend with jQuery.
$.ajax({...});
The Javascript code can be embedded by various client so I enabled CORS on my backend and the requests go fine.
The backend is protected by an Basic Auth and the auth header is stored in the javascript client.
How can I protect my backend so only my client can post data and prevent any other people from doing this.
Upvotes: 0
Views: 3901
Answers (1)
Reputation: 23494
You can't store secrets in JavaScript. There's no way you can hold on to a username and password without at least the user being able to get to them (F12 debugging tools). Even if were to use JavaScript encryption, you'd still need to store the secret key somewhere on the client where it can easily be discovered.
And even if you trust the user, XSS attacks may leak this username and password info to an attacker.
That's why OAuth 2.0 uses short lived access tokens in an implicit grant to deal with public clients.
Upvotes: 5
Related Questions
- How to hide credentials in client-side javascript application
- OAuth2 - how to authorize without client secret?
- How to safeguard credentials when doing authenication for a javascript/jQuery API client?
- Hiding API access credentials from an AngualrJS app
- OAuth: How to hide API Secret Key from javascript
- AJAX POST Request Hide Basic Auth Credentials
- Howto hide Credentials in a pure Javascript HTML Web App
- Keep client's API Secret in browser and access it by JS
- How to accomplish a secure authentication in Javascript API
- How to keep API keys secret when using client side Javascript?