Hi, I’ve searched the forums for something that would answer my question but can’t seem to find anything that fits the bill.
I building a public but not published search page which sends a search result, chosen by the user, to a service api, using GET method. All good so far.
Even if I .htaccess password protect the page and only give the login details to chosen people, I’d still like to protect those sensitive details.
I would do a proxied request, where there’s a server-side script that does the query with the API key.
The client calls this script, your script calls the server and returns data, and then the script forwards it back to the client. You can still restrict access via .htaccess on the client page to make sure that the call doesn’t get abused.
Just checking; if, instead of writing my scripts as ‘internal’ hype scripts, I wrote them externally and added them into the hype project, then used an export script which puts those scripts into /js folder or something and protected that folder, I could put anything in those scripts, correct?
There’s a lot that is highly dependent on your configuration and the data you are trying to protect, so without knowing all the details it would be impossible to offer specific advice. I also wouldn’t want to be liable for your setup!
Based on what I think you are describing, the answer is no. If you load a .js file with the secret into your client-side application, then the client can see your key.
The goal is to never load the key into anything client-side. That’s why the key is located in a file that is only server-side, and performs as a proxy.