how to secure parse initialize with app and secret?

Question

I'm setting up parse framework in javascript. I notice that I need to call

Parse.initialize("app", "secret")

Since this is in the page source, couldn't anyone take this and make calls against my account?

Is there a more secure way to store this info?

Answer 1

As per Parse Security Guide your JavaScript key is NOT secret:

When an app first connects to Parse, it identifies itself with an Application ID and a Client key (or REST Key, or .NET Key, or JavaScript Key, depending on which platform you're using). These are not secret and by themselves they do not secure an app. These keys are shipped as a part of your app, and anyone can decompile your app or proxy network traffic from their device to find your client key. This exploit is even easier with JavaScript — one can simply "view source" in the browser and immediately find your client key.

So yes, anyone who found your key can make calls. But you can (and should) restrict what such anyone can do.

Using Class-Level Permissions you restrict what can be done with individual classes.

Using Object-Level Permissions you restrict what can be done with selected objects.

See also Roles and Roles Hierarchy for simultaneously setting permissions for a group of several users.

For instance, you can restrict access to only specific users. Only if one of those users is logged in, the access is granted. Any other "hacker" can try to use your keys but the request will be rejected by Parse.