Why API Credentials Should Never Be Used In Client-Side Code

​Client-side code is becoming ever more popular with developers who are taking advantage of Dynamic HTML to create interactive applications that are faster and more versatile.

However, this type of coding, which executes embedded or associated scripts on the client’s web browser, does pose some problems for itself. The biggest risk is the security compromise created by having exposed Source Code on a user’s device which is beyond your control

In the same way that smartphones can be jailbroken and other hardware can be cracked, client-side code is vulnerable to hacking and misuse by anyone who has the ability and inclination.

The simple solution of using Encryption is not viable since the device that guards the API key is the same one that is easily compromised. While there is no real way to prevent this type of attack from a determined hacker, there are ways to put off less-determined ones.

Obfuscating your JavaScript can greatly help to deter casual attacks and is certainly worth doing. However, with hackers’ interest in different types of information as high as it is, there is a strong case for keeping at least part of your application running on the server side. 

Be sure to read the next Security article: Developer Learns the Value of Private API Key Security

Original Article

Client-side coding: How to prevent malicious use?