I am running a page on my site which uses third party api keys, which I want to keep hidden fr the user side. How can I do the same with infinityfree free acoount.
TIA
That depends on where and how your store the API keys.
Most website software stores it a PHP file in which the API keys are created as PHP variables. If this configuration file is accessed directly, you would only see a blank page, because the configuration file doesn’t print any content.
If you then make sure that your website code doesn’t print the API keys anywhere to the user, you should be safe.
If you store the configuration in another kind of file, you may be able to use .htaccess rules to restrict access to the file.
1 Like
I am keeping my API key in a java script code which is exposed to the user, (tho I haven’t made the site url public yet). Can you tell me a way to hide my keys from the javascript code?
If you don’t want users to access your API key, you shouldn’t send it to the user’s browser. Remember: Javascript is executed in the browser of the visitor. That means a savvy visitor can see the code and interfere with it. You could send the key encrypted, obfuscated or in other ways harder to read. But the decryption/de-obfuscation code has to be sent along with the key so you can use it in your code, which means a visitor could get the raw API key.
The most secure was to tackle this problem is to write a PHP script which handles the API calls for you. So your Javscript code doesn’t interact directly with the external API, but instead interacts with your PHP code. In that PHP code, you can enforce your own authentication, authorization and validation, and send the clean API calls from your PHP code with your API code. That way, the API key is embedded in your server code, and never has to be transmitted to your visitors.
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.