Where should I store my facebook appid? Does it need to be secured?

Question

I am planning to add the facebook sharing into my website and I need the following information for sharing my stuff:

// Facebook information
export const FACEBOOK = {
"appId": "xxxxxxxxxxxxxx",
"verison": "v2.8",
"baseUrl": "http://www.facebook.com/sharer.php?s=100&p[title]=",
"sdkLink": "//connect.facebook.net/en_US/sdk.js"

};

I already have these and it is all working. The only problem is I have them in my java script code on the front end and I am worried if this may arise any security issue. The only thing there is appId that may need to be secure but having it sent back from the backend make take some efforts. Any idea what other developers usually do? do they use it on the front end?

Answer 1

Please note the App Secret is what you shall not use on the Front End. It acts as the Key used for Back-end service to service interactions. It would be a good practice to Rotate the App Secret time to time.

It is totally fine to use AppID in front end side. This is true in case of all web APIs. However, you have the chance to secure and harden your API through the Dashboard.

What can help you protect your API usage will be hardening your App Settings by providing white list of domain names where you want your app to communicate with. This will avoid any one else to Copy and Paste your App ID in their own web site and kind of Hijack some functionalities of your Application API.

I suggest you take a look and read the Security section of Facebook Developers Doc: https://developers.facebook.com/docs/facebook-login/security#surfacearea

Answer 2

App IDs are perfectly fine to publish in client code. App Secrets need to be kept secret, of course - as the name tells you. Any App/User/Page Token needs to be kept secret too, you can never hardcode those in client code.