Net Core - How to manage credentials securely within JavaScript?

Question

I'm looking at using an JavaScript API (npm package) in my Net Core project where I will require fetching the API key from my Net Core server in order to use the API within JS. In the past I've always used external APIs through C# on the server side so things like passwords and keys are never exposed to the UI / browser client.

The library I'm looking at is for Elastic Cloud, https://www.elastic.co/guide/en/elasticsearch/client/javascript-api/current/client-connecting.html although the choice of API is not wholly relevant to the question as I'm interested more in understanding how secret keys and credentials are generally handled securely within JS (client side code) when using a NET Core project...

My initial idea was to fetch the API key and credentials using AJAX from my Net Core controller, then as soon as I return the secret keys I would run the call to the external API, then as soon as the call is processed then I would delete the keys in JS, but this clearly isn't the right way to go about it because anyone debugging the JS code would surely be able to sniff out the details that I don't want to be exposed.

It's a fairly generic question but not something I've had to think about before, could someone please point me in the right direction of what procedure or methodology needs to be followed here?

I've realised that I could save a lot of development time by calling an external APIU through JS rather than having to create a load of server side code as well, many thanks

Answer 1

Don't. If you do not trust the client to debug and reverse engineer your code, grab the API key and perform any and all operations that the key grants him access to, that key has no business on the client side at all. Hide the API behind a server side layer that you control, even if it's more time consuming, it is the only way to securely restrict access