I have a .cshtml
page, where a click on a button calls an API
Currently, my JS code looks like:
var headers = {};
headers["Authorization-Token"] = '@Model.ApiToken';
$.ajax({
url: "my-url",
type: "GET",
headers: headers
});
However, if the end-user opens the browser console, goes to the Network tab, searches for the generated cshtml
, he can see:
The token can be seen in clear text (cropped in the above picture for exhibit)
I can't call my API without this header, as the call is immediately rejected if the header is not present
Is there a way to hide it to the end-user, and if so, how?
Thank you
It is better to keep the tokens outside the browser, one option is to store the token inside the cookie (encrypted of course). ASP.NET Core can handle that for you automatically. Or in the backend as part of the user session.
An perhaps better option is to look at using the Backend For Frontend (aka BFF) pattern to secure SPA applications.
See
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.