在 Chrome 扩展程序中保护网站 API 密钥 [英] Securing website API keys in Chrome extensions

问题描述

我正在使用记住 Milk 网络 API 构建 Chrome 扩展程序.为了调用此 API 中的方法，我需要使用 API 密钥和共享秘密"密钥对我的请求进行签名.

I'm building a Chrome extension using the Remember the Milk web API. In order to call methods in this API, I need to sign my requests using an API key and a "shared secret" key.

我担心的是，如果我将这些值包含在已发布的扩展中，任何用户都可以直接打开扩展并提取这些值.这可能会也可能不会为用户带来安全性提升，但他或她肯定可以使用/滥用我的 API 密钥，并可能将其撤销.

My concern is that any user could just crack open the extension and pull out these values if I include them in the published extension. This may or may not pose a security rise for the user, but he or she could certainly use/abuse my API key and maybe get it revoked.

这是我应该关心的事情吗?是否有任何最佳做法可以保护已发布的 JavaScript 应用程序中的此类信息?

Is this something I should be concerned about? Are there any best practices for protecting this type of information in published JavaScript applications?

推荐答案

最终，您无法真正隐藏在浏览器中运行的 JS 应用程序中的任何内容；您可以混淆或缩小代码，这会分散临时用户的注意力，使其无法四处窥探，但最终总有可能获取您的明文秘密.

Ultimately you can't truly hide anything within a JS application that's run in the browser; you can obfuscate or minify the code, which will distract casual users from snooping around, but in the end its always going to be possible to grab your plaintext secret.

如果您确实需要防止这种情况发生，那么一种选择是将呼叫从您的分机传递到您有权访问的服务器.您的服务器可以添加签名所需的任何参数，将调用转发到相关的 API，并将 API 的响应传回给用户.当然，这会增加您可能不想要的带宽/正常运行时间限制.

If you really need to prevent this from happening, then one option is to pass calls from your extension to a server you have access to. Your server can add any paramters required for signing, forward the call on to the relevant API, and pass the API's response back to the user. Of course this adds bandwidth / uptime constraints which you may not want.

这篇关于在 Chrome 扩展程序中保护网站 API 密钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！