您在哪里存储您在 javascript Web 应用程序中使用的第三方 API ApiKey?

2022-01-19 00:00:00 reactjs frontend javascript app-id api-key

您如何以及在何处存储您在 javascript Web 应用程序中使用的第三方 API ApiKey(又名 AppId、AppSecret、AppKey)?如果它在获取 URL 中使用并且无论如何在浏览器网络选项卡中可见,我是否应该对它保密?

How and where do you store third-party API ApiKey (aka AppId, AppSecret, AppKey) that you use in your javascript web app? Should I care to keep it secret from public if it is used in fetch URL and is visible in browser network tab anyway?

示例:在我的 React 应用程序中,我使用 OpenWeatherMap 服务.我需要在他们的网站上注册并获取 apikey,然后我使用 URL 请求数据:

Example: in my React app I use OpenWeatherMap service. I need to sign up on their website and obtain the apikey, then I request data using URL:

http://api.openweathermap.org/data/2.5/weather?APPID=96547d41585ab16c48ee1evtm1bb1g8&q=英国伦敦

上面 URL 中的我的 appid 与我的帐户相关联,我可以使用此 appid 执行的请求数量有限.所以我想让这个appid对任何人隐藏.有可能在 React 应用程序中这样做吗?

My appid in the URL above is associated with my account and there is a limited amount of requests I can do with this appid. So I'd like to keep this appid hidden from anyone. Is it possibly to do so in React app?

推荐答案

一个常见的解决方案是让您的应用程序用户为相关的第三方服务创建自己的 API 密钥.然后,用户可以将这些密钥提供给您的应用,例如,将它们存储在他们的个人资料中(在您的应用中).

A common solution is to have your application user create their own API keys for the relevant third-party services. The user may then provide these keys to your app and, for example, have them stored in their profile (within your app).

如果您想通过自己的凭据向应用用户提供对第三方服务的访问权限,唯一安全的选择是通过您自己的服务器代理请求,您可以在其中安全地存储 API 密钥不暴露他们.

If you want to provide access to a third-party service under your own credentials to the users of your app, the only properly secure option would be to proxy the requests through your own server, where you can safely store your API keys without exposing them.

相关文章