在UI javascript代码中嵌入facebook App ID是否安全? [英] Is it safe to have facebook App ID embedded in the UI javascript code?

问题描述

Facebook的文档说我们可以初始化FB在我们的应用程序中运行以下代码.代码来自文档，但这也希望将'appId'作为参数传递.

Facebook's documentation says that we can initialise FB in our app by running the following code. The code is from the documentation but this also expects 'appId' to be passed as parameter.

问题:在单个页面应用程序的客户端Javascript代码中嵌入'appId'是否真的安全，还是应该以某种方式在服务器端处理?

Question: Is it really secure to have the 'appId' embedded in a single page application's client side Javascript code or should this be handled on the server side somehow ?

FB.init({
    appId      : '{your-app-id}',
    status     : true,
    xfbml      : true,
    version    : 'v2.4' // or v2.0, v2.1, v2.2, v2.3
  });

更新:正如@KK指出的那样，文档说是app-secret.因此，我猜想在浏览器中包含app-id是安全的，但我应该保持app-secret的安全.当我检查我的Facebook仪表板时，可以看到我有两个不同的ID，分别用于app-id和app-secret.

Update: As @KK pointed out the documentation says app-secret. So I'm guessing it's safe to have app-id in the browser but I should keep the app-secret safe. When I check my facebook dashboard I can see I have two different ids for app-id and app-secret.

即使我将app-id保留在服务器上并通过服务器重定向用户，该应用程序ID仍对用户可见，因为

Even if I kept app-id on the server and redirected the user via the server, the app-id will still be visible to the user because the documentation here says that the redirect url is a GET request so all the parameters are visible anyway.

推荐答案

应用ID完全可以安全发布(无论如何在登录过程中都可以看到)，另一方面，该应用的秘密称为秘密"，用于一个原因.使用App ID和App Secret，您将已经有一个App Access令牌(App-ID | App-Secret).使用App Access令牌，您将能够更改某些App设置: https://developers. facebook.com/docs/graph-api/reference/application#Updating

The App ID is perfectly safe to publish (it will be visible in the login process anyway), the App Secret on the other hand is called "Secret" for a reason. With App ID and App Secret, you would already have an App Access Token (App-ID|App-Secret). With an App Access Token, you would be able to change some App settings: https://developers.facebook.com/docs/graph-api/reference/application#Updating

为提高安全性，您应在应用"设置中激活要求应用秘密"，并使用appsecret_proof进行服务器调用:

To improve security, you should activate "Require App Secret" in the App settings and use appsecret_proof for server calls:

• 设置: https://developers.facebook.com/apps/[app-id ]/settings/advanced/
• 确保API调用的安全: https://developers.facebook.com/docs/graph-api/securing -请求
• 常规信息: https://developers.facebook.com/docs/facebook-login/security

• Settings: https://developers.facebook.com/apps/[app-id]/settings/advanced/
• Securing API calls: https://developers.facebook.com/docs/graph-api/securing-requests
• General information: https://developers.facebook.com/docs/facebook-login/security

这篇关于在UI javascript代码中嵌入facebook App ID是否安全?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！