I am just testing an API that allows me to get the price of some cryptocurrencies, I wrote a express app and put it on Heroku. An API key is used, and I was wondering, if I were to make this link public, can someone easily steal the API key from the source or is that inaccessible?
https://obscure-coast-63470.herokuapp.com/acs
This is the link, I wanted to know if a hacker can get my API key from the source.
Thanks for the help.
Related
Currently working on a python project, and am trying to get it usable enough to the point where I could share it with other people on platforms like reddit or github. However, I can't go sharing around the API. Is there any way to include the API key but hide it somehow so it is simultaneously usable and still hidden from any users who download my repository?
There is not a way to have an API key be shared so it's both usable and private. If you can't share the API, then you'll just have to keep it to yourself.
I was working on a project, and needed to make an API call to my website https://dashboard.lawliet.host/api/setcoins, it took in a header Authorization, which was the admin API key.
I obviously don't want the API key exposed to the user if they check the outgoing requests, or deobfuscate the program. What is a good and easy solution to get around this?
What I did think of what to hash the API key in this program, and compare it with the key in my server. According to me, this will work, but I do want to know if there's a better/easier way to accomplish it.
P.S: English is not my first language, so if anyone could edit this question and fix any grammatical errors, I would appreciate it.
Thanks,
MisuteriasuKe
I have an ios/Objective C app. I'm using Parse. It's hosted on Heroku.
I'm attempting to integrate Stripe. I have installed the latest Stripe pod and am trying to follow the basic Standard Integration. https://stripe.com/docs/mobile/ios/standard
I'm getting tripped up by the steps involved with "Prepare Your API" and I'm unsure how to use the code provided "To provide an ephemeral key to the SDK, you'll need to expose a new API endpoint on your backend. This endpoint should create an ephemeral key for the current Stripe customer, and return the key's unmodified response as JSON" ...
All the Q&A I can find on how to use stripe with parse seem to predate the use of the ephemeral key and need to create this endpoint. Could you please provide me with more specific information about where the example code you provide (see below) for this goes? Is this something I need to do within the parse dashboard? Heroku? is this part of parse cloud? I vaguely recall from previous times I've played with parse apps several years ago, that there may be a main.js file (or similar) that can be incorporated into the app, but I don't recall where it goes or how to do it.
# Sinatra
post path do
stripe_version = params['api_version']
customer_id = session['customer_id']
key = Stripe::EphemeralKey.create(
{customer: customer_id},
{stripe_version: stripe_version}
)
key.to_json
end
If anyone has recently integrated stripe with a parse app I'd really appreciate guidance on how to do this.
Thanks!
I made a styled map in Google Maps and I needed an API key to make it work. I did it, and it workes fine if the API key is not restricted. If I restrict it on a particular IP or domain, it doesn't work, but this is not the problem I want to discuss here. I was wondering, why not leaving my key unrestricted? So i searched online and they said that a key shouldn't be unrestricted for security reasons, so they suggest to
store them in environment variables or in files outside of your application's source tree
I asked myself then, even if I put my API key in an external file, get it with php or whatever, wouldn't it be shown in the html's source code anyway? I mean, in the how-to page they say to write this code
<script src="https://maps.googleapis.com/maps/api/js?key=YOUR_API_KEY&callback=initMap">
that's fine, but whatever is my way to set the YOUR_API_KEY, whether getting it from an external file or not, it will be shown on my html's source code anyway.
So,
does anyone know what they mean when they say to put the API key on an external file?
If i find a way to put it on an external file, can I leave it unrestricted? If so, what could happen (speeching from a security point of view)?
Leaving an API completely unrestricted is awful practice and should be avoided in almost every situation. All someone with malicious intent needs to do is find your API key and suddenly they have access to almost everything function that the API key gives you access to. Always restrict keys to the bare minimum.
Since you're going to be embedding the map into an iframe, that script is going to be run client side meaning there isn't much when it comes to hiding the API key but if you restrict a key to simply view maps (and any other functions that will be needed on the users side) there won't be any need to hide it and you can leave it in there as the docs show you.
The document you read on best practices for security with API's applies more to applications of the Google API where it is handling sensitive data or the key has access to functions that could seriously compromise the security of your application if accessed. This doesn't apply in the scenario you described with maps.
How to get the API key for the authentication purposes for posting the request to get the email previews using Litmus?
There are actually a few different Litmus Preview APIs to cater to different use cases. We're in the process of simplifying this, partly in the hope of making the experience for a new API user a little more obvious.
If you reach out to hello#litmus.com we'll direct you to the appropriate API version and how to obtain your key.