1

I'm new-ish to web development. Setting up a hobby website for weather forecasting. I have an API key to make 'GET' requests from a forecasting service (openweathermap). I know I don't want to expose this key to the public. So my current plan is to have the user select their location by text input, a client side JavaScript function sends this info to a server side Perl script which makes the 'GET+key' request to the forecasting service. The Perl script returns the forecast data to the client side JavaScript for display on the page.

Since the API key is stored in the server side script, I assume it is not visible to the public. Is this true and is my above approach good to use?

brian d foy
  • 129,424
  • 31
  • 207
  • 592
the_anomaly
  • 33
  • 5
  • 1
    Yes you are right, if you are making the request from the "backend" no one will be able to have access to the headers-url thus your key. – Countour-Integral Jan 27 '21 at 15:57
  • Some APIs come with the API key being tied to a specific site. Google Analytics, Maps and other such JavaScript snippets for tracking work like that. This allows you to use the API key somewhere where it isn't actually kept a secret. It sounds like that doesn't work here though. Putting it in the backend is therefore a smart move. If you have a hosting environment that allows for CGI, that'll be simple. You'll need to know how to run a CGI, and how to make a request and render a response. You could repackage the payload and send it off and send back the response verbatim, for example. – simbabque Jan 27 '21 at 17:18

1 Answers1

0

On the server, the client should not be able to see it. However, there are various things that you might do that could expose it. Use proper transport security (so, HTTPS, whatever), be careful with the output of error messages, store it somewhere away from the prying eyes of others, and so on.

Look into various ways to manage secrets. Some of these make it so you don't even know what the API key is.

brian d foy
  • 129,424
  • 31
  • 207
  • 592