I created a HTML5 app that is using the YouTube Data API v3 and want to put it on itch.io
When I do this, the API key will be in some form in there, so people could find it (yes I could try to obfuscate, but that only makes it harder to find the key, not impossible).
So I want to restrict the project / API key as much as I can to prevent someone from misusing the key.
I hoped that I could somehow restrict it to only allow reading access (because that's all the app needs, it just queries view + like count and comments from videos), so nobody can use it to write a comment in my name or something like that. But I couldn't find that option.
What I could do so far is
I restricted the key to only use the YouTube Data API v3
I restricted the use to HTTP referrers and to the website https://v6p9d9t4.ssl.hwcdn.net/
That last domain is the place where itch.io puts the app. But if someone would take my key and put their app on itch.io as well, that would be the same domain, so it doesn't help, really.
Is there another option to make this more secure, that I haven't found? The only thing I can imagine now is, to write a service or FaaS that my app calls (without any key) and that then calls the API. But I would like to avoid that.
Related
I've built an app with vanilla JavaScript that searches for nearby dogs to adopt. It uses the Petfinder API, which is free. Anyone can request one. After doing some research, I've found that you cannot hide your API key and secret (without your own server, if that's correct).
So should I just go ahead and publish this website? I'm buying a domain for it and using my existing hosting. Are there any risks with having this info out there?
The app does not take in any personal information. Just searches dogs by zip code and distance, and displays info about the dog and where to contact.
I'm a beginner with this stuff, as this is my first API project.
Not hiding your API key and secret may result in others using your API for free which is possible abuse to you if you paid for it.
Attackers might use your credentials for attack and the blame goes on you.
If the API you use works on GET requests and is a feature of some public application, others can easily get your API key anyway.
Given the nature of API you're using, hiding the API key might not be necessary.
Anyone that can get to your api key and secret can then access that api and pretend to be you.
I'm currently using GitHub pages to host my website and I'm making a simple web app that requires an API call. The API call is a web url with certain parameters and one of the mandatory parameters is the personal API key issued from the service which they strictly warn to not share with others cause its the equivalent of sharing your password. This service has no public API keys, only account bonded ones.
In my JavaScript file I have a line that goes something like this:
var api= "https://osu.ppy.sh/api/get_beatmaps?k=[MY API KEY HERE]"
Where this string is then used in a getJSON call.
Where after the ?k= is my account tied API which I do not want to share because its the equivalent of giving out my password. I realised that any user can just go on myname.github.io/js/script.js and they can view the JavaScript and thus see my API key. Is there a way to make it so this file is unable to be accessed or a way to make it so no one can see my API key.
Unless you can isolate this, as in run that code on a server you control and can lock down, the answer is no.
You could also do this "serverless" as in an Amazon Lambda function or equivalent.
Remember, client-side code runs client-side, so if they have access to your key, they have access to your key. The only way around this is to intermediate or proxy the request.
I am a newbie at using API's. Because of my work, I have to learn to use Autopilothq. There is also an API for this which is in JavaScript:
http://developers.autopilothq.com/
But my question is basically, how do I implement all these functions? Do I have to make a administration site, where I implement these functions, or is it often in the online program itself they are called from?
For example, in the console of their site Autopilot, I can type the following:
var sessionId = AutopilotAnywhere.sessionId;
sessionId;
Then I get a 24 digit number. That number can be attached to a contact_id. But how do I execute this line of code on a site? Should I simply make a JS file and make my functions in here, then call the script from the head tag?
Updated question:
If you want to use JavaScript to access their API, you create a HTML document that contains a JavaScript script which does a XMLHttpRequest (Ajax) request to their REST-API with some code like the one from the example in your screenshot.
You need to specify your private API key (it acts as a kind of username and password in one thing) to allow the script access to your account. Then you create a request body and use a HTTP method to send your request (see CRUD). The API then returns a JSON encoded string (or some error) that you can work with in your script.
So yes, basically you can create an administrative website that implements some functionality to make changes to your account (or whatever the API allows you to do). But an API allows you much more as it can be used with almost any programming language, so you could also create a native mobile or desktop app. You could also allow users to do something like unsubscribe themselves if the API allows you to create API keys with certain restrictions (i.e. only allow the unsubscribe action with the key that the user uses).
Keep in mind to not expose your API key. If you create a website to work with the API, make sure to not store the key in your script as everyone can view the source file. Instead you can either provide the key via PHP after some successful login only or have a look at server-side JavaScript (e.g. Node.js) or think of something else.
I have a gaming page that accesses an API that I would like to share but I don't want anyone else using my api. Is there a way to create a variable in javascript that would obfuscate the api? Maybe pull it in from a php page?
Just looking to replace
var apiKey = "7**************";
so that the api isn't available to people that download the page to use it for themselves.
No. You cant hide anything in javascript.
No. It's not possible.
Any information that your javascript uses, is public. Any API key that you put in js or pull from server or decode or whatever else can be easily recorded and then used elsewhere.
Create nginx proxy which will just add your secret API key when you make calls to API. But dont share API keys - the only security in this case is lazyness ot your visitors to take that API key.
You can't hide Javascript from your source but you can made it more difficulty to read and understand.
www.sitepoint.com/hide-jquery-source-code/
Image from sitepoint
Javascript Obfuscate
I am working on a search engine that needs to have access to results from google. Here are my options:
Using the custom search API
Using a proxy to make my server send searches and return the data
I am not sure about some things though:
Is the custom search API limited? I may need a really big amount of queries, so if the use is limited it will be a problem.
Is it "authorized" to use a proxy in node that would send search queries to google and intercept the result to show to my users? If I do so, wouldn't I run to some limitations?
The inspiration here is gizoogle which managed to plug into google API (they have the same results as google) while still not using custom search (custom search displays adds, and there aren't any on this website). So I assume they have some sort of proxy, but how come google let them run those queries?
Edit: It turns out that the custom search API is also limited. So, how did gizoogle do ?
Ok here is how I solved this problem:
It turns out that google has a lost API (probably deprecated so be aware of this) for client-side ajax search. It looks like that:
http://ajax.googleapis.com/ajax/services/search/web?v=1.0&q=test&rsz=large
Just go to that url to see what results it gives.
So basically here is the process:
The user types a search
It is sent to your server in ajax
The server might modify the search depending on your application (filtering forbidden words or whatever)
Your server polls the ajax web service from google - don't forget to add the getparameter userIp which is needed to avoid limitations (google limits incoming queries from each user, so your server has to tell google that it is making a request on behalf of this userIp
You send back the results to the client, and then use javascript to display them
The only drawback is that the search must be made in ajax, meaning that the page is empty at load and filled later. But you could actually use get parameters in URL to preload the search and fill the page before sending it to the client though.
Google Custom Search (GCS) has a free mode and a paid ("enterprise") mode.
Both modes are regulated by a terms of service (Custom Search Terms of Service) - make sure you read carefully.
From what I understand, you can use the free mode and search as much as you'd like. Because google is returning the results, they also return ads, so they get paid that way.
The paid mode gives you access to the API, and let's you turn off the ads and do other things. But it comes at a cost.
I've been combing through the documentation and terms and the like -- it's really not Google's best effort. But if you are using it exactly as they describe, it's pretty standard, really.
Depends on your project size and funds available but you could get a GSA http://www.google.com/enterprise/search/products/gsa.html
The Dr Oz webite uses this to index and pull in results from partnered sites, you would have the ability to include Google results as well. Highly customizable with the works from source weight ranking, filtering options to custom output.