44

I'm building a Chrome extension using the Remember the Milk web API. In order to call methods in this API, I need to sign my requests using an API key and a "shared secret" key.

My concern is that any user could just crack open the extension and pull out these values if I include them in the published extension. This may or may not pose a security rise for the user, but he or she could certainly use/abuse my API key and maybe get it revoked.

Is this something I should be concerned about? Are there any best practices for protecting this type of information in published JavaScript applications?

pimvdb
  • 151,816
  • 78
  • 307
  • 352
Josh Earl
  • 18,151
  • 15
  • 62
  • 91

1 Answers1

32

Ultimately you can't truly hide anything within a JS application that's run in the browser; you can obfuscate or minify the code, which will distract casual users from snooping around, but in the end its always going to be possible to grab your plaintext secret.

If you really need to prevent this from happening, then one option is to pass calls from your extension to a server you have access to. Your server can add any paramters required for signing, forward the call on to the relevant API, and pass the API's response back to the user. Of course this adds bandwidth / uptime constraints which you may not want.

Graham
  • 6,484
  • 2
  • 35
  • 39
  • 1
    I'm afraid this is going to be the best solution to this problem. Writing a web service to support a free, simple plugin is definitely overkill. Yet another win for compiled native apps... – Josh Earl Dec 20 '11 at 15:19
  • 1
    Yup. We basically disallow JS-based authentication on our API for this very reason. Of course its still going to be possible for someone to forge requests to your web service...! – Graham Dec 20 '11 at 15:37
  • 7
    @JoshEarl Compiled native apps also have API keys, and it would be possible (using an SSL sniffer like Charles / Fiddler etc) to extract them. Browser JS does make it easier though. – mikemaccana Jan 25 '12 at 22:17
  • 2
    How do you stop users from abusing your web service? – Jared Beach Nov 05 '17 at 19:39
  • Is it possible to restrict the API key like the google API keys? You could restrict the use to a specific referrer – KFleischer Jul 24 '18 at 20:23
  • Google does allow you to throttle the usage of your API key to X times a day or X times a second. Might help in some cases. – Glen Little Sep 12 '19 at 15:37
  • Can you share a link on how to make a server to do this, possibly using aws? – Persistent Plants Sep 01 '20 at 18:31
  • 1
    How does the web server authenticate the extension? (i.e. how do you prevent a 3rd party from using your server to access the API on their behalf?) (similar to Jared's Q) – Gert van den Berg Dec 12 '22 at 17:51