隐藏Github页面的api密钥 [英] hide api key for a Github page

问题描述

我为我的组织提供了一个github页面，我想从其中需要身份验证令牌的第3方api调用数据.我可以发布该github页面而无需在公共仓库中显示auth令牌吗?

I have a github page for my organization where I would like to call data from a 3rd party api where I need an auth token. Can I publish this github page without having the auth token displayed on the public repo?

推荐答案

总之，没有.如果您的GitHub存储库是公开的，则其所有资产都是公开的.您可以将存储库设为私有，并且如果使用 username.github.io 约定命名或具有 gh-pages 分支，它仍将在GitHub Pages上发布.尽管这是一个选择，但这不一定是正确的选择.

In short, no. If your GitHub repo is public, all its assets are public. You can make the repo private and it will still publish on GitHub Pages if named with the username.github.io convention or if it has a gh-pages branch. While that's an option, that's not necessarily the right thing to do.

如果您的密钥在GitHub Pages存储库中，则听起来好像已将其用于JavaScript中的客户端API调用.如果是这样，则无论是在公共仓库中还是在客户端文件中将身份验证令牌发送到浏览器中，您的身份验证令牌都是公开可见的.这通常很好.第三方API可能已根据您网站的域生成了auth令牌，并将使用该令牌的调用限制为源自您域的页面.否则，他们可能只需要auth令牌来记录请求和监视使用情况.

If your key is in your GitHub Pages repo, it sounds like it's used for client-side API calls in JavaScript. If so, your auth token is publicly visible whether it's in your public repo or sent in your client-side files to the browser. This is usually fine. The third-party API might have generated the auth token based on your website's domain, and restrict calls using that token to pages originating on your domain. Otherwise, they might require the auth token only for logging requests and monitoring usage.

如果auth令牌确实是私有的，那么您可能需要编写私有的服务器端代码来调用第三方API.然后，您的GitHub Pages站点可以访问您的服务以获取所需的数据.在Web API涉及安全问题之前，我不得不这样做，但是我仍然需要从客户端检索非敏感数据.

If the auth token is truly meant to be private, then you may need to write private server-side code to call the third-party API. Your GitHub Pages site could then hit your service for the data it needs. I've had to do that before where the web API had security concerns, but I still needed to retrieve non-sensitive data from the client-side.

这篇关于隐藏Github页面的api密钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！