Is there a way to hide my Facebook appID?

Question

For example, I modified the boiler-plate code for tapping the FB API, to conform to jslint. It looks like this:

(function () {
    'use strict';
    window.fbAsyncInit = function () {
        FB.init({
            appId: '1507519942878500',
            xfbml: true,
            version: 'v2.5'
        });
    };
    var d = document,
        id = 'facebook-jssdk',
        js,
        fjs = d.getElementsByTagName('script')[0];
    if (d.getElementById(id)) {
        return;
    }
    js = d.createElement('script');
    js.id = id;
    js.src = "//connect.facebook.net/en_US/sdk.js";
    fjs.parentNode.insertBefore(js, fjs);
}());

</script>

I notice that anyone who uses my app can now see my appId . Is this a security risk in any way?

Answer 1

This is intentional not a risk, there is no way to hide your Facebook app ID.

If your secret was exposed this will be a problem.

There needs to be a way for Facebook to link back to your application. As a user I also need to know your app ID if I ever needed to report suspicious activity.

Answer 2

If the question is, "Is this a security risk in any way?" the answer is yes, this can be a security risk in many ways, but long story short, you should check this out. Its best practices with the fb sdk.

http://www.masteringapi.com/tutorials/facebook-javascript-sdk-best-practices/58/

for future reference any api keys you use from whatever api you're trying to use should be hidden from the public and saved as a variable. and if your using git, you would save the file where your api keys are in a gitignore.