您将在 javascript Web 应用程序中使用的第三方 API ApiKey 存储在哪里? [英] Where do you store third-party API ApiKey that you use in your javascript web app?
问题描述
您如何以及在哪里存储您在 javascript 网络应用中使用的第三方 API ApiKey(又名 AppId、AppSecret、AppKey)?如果它用于获取 URL 并且无论如何在浏览器网络选项卡中可见,我是否应该注意对公众保密?
How and where do you store third-party API ApiKey (aka AppId, AppSecret, AppKey) that you use in your javascript web app? Should I care to keep it secret from public if it is used in fetch URL and is visible in browser network tab anyway?
示例:在我的 React 应用程序中,我使用 OpenWeatherMap 服务.我需要在他们的网站上注册并获取 apikey,然后我使用 URL 请求数据:
Example: in my React app I use OpenWeatherMap service. I need to sign up on their website and obtain the apikey, then I request data using URL:
http://api.openweathermap.org/data/2.5/weather?APPID=96547d41585ab16c48ee1evtm1bb1g8&q=London,uk
我在上面 URL 中的 appid 与我的帐户相关联,我可以使用此 appid 执行的请求数量有限.所以我想对任何人隐藏这个 appid.是否有可能在 React 应用程序中这样做?
My appid in the URL above is associated with my account and there is a limited amount of requests I can do with this appid. So I'd like to keep this appid hidden from anyone. Is it possibly to do so in React app?
推荐答案
一个常见的解决方案是让您的应用程序用户为相关的第三方服务创建他们自己的 API 密钥.然后,用户可以向您的应用提供这些密钥,例如,将它们存储在他们的个人资料中(在您的应用内).
A common solution is to have your application user create their own API keys for the relevant third-party services. The user may then provide these keys to your app and, for example, have them stored in their profile (within your app).
如果您想根据您自己的凭据向您的应用程序用户提供对第三方服务的访问权限,唯一适当安全的选择是通过您自己的服务器代理请求,您可以在其中安全地存储 API 密钥不暴露它们.
If you want to provide access to a third-party service under your own credentials to the users of your app, the only properly secure option would be to proxy the requests through your own server, where you can safely store your API keys without exposing them.
这篇关于您将在 javascript Web 应用程序中使用的第三方 API ApiKey 存储在哪里?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
