For example, I modified the boiler-plate code for tapping the FB API, to conform to jslint. It looks like this:
(function () {
'use strict';
window.fbAsyncInit = function () {
FB.init({
appId: '1507519942878500',
xfbml: true,
version: 'v2.5'
});
};
var d = document,
id = 'facebook-jssdk',
js,
fjs = d.getElementsByTagName('script')[0];
if (d.getElementById(id)) {
return;
}
js = d.createElement('script');
js.id = id;
js.src = "//connect.facebook.net/en_US/sdk.js";
fjs.parentNode.insertBefore(js, fjs);
}());
</script>
I notice that anyone who uses my app can now see my appId
. Is this a security risk in any way?
This is intentional not a risk, there is no way to hide your Facebook app ID.
If your secret was exposed this will be a problem.
There needs to be a way for Facebook to link back to your application. As a user I also need to know your app ID if I ever needed to report suspicious activity.
If the question is, "Is this a security risk in any way?" the answer is yes, this can be a security risk in many ways, but long story short, you should check this out. Its best practices with the fb sdk.
http://www.masteringapi.com/tutorials/facebook-javascript-sdk-best-practices/58/
for future reference any api keys you use from whatever api you're trying to use should be hidden from the public and saved as a variable. and if your using git, you would save the file where your api keys are in a gitignore.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.