elderlyman Posted June 10, 2020 Share Posted June 10, 2020 I would like to make a fetch request from my squarespace site to a weather data provider. The code works fine when I write it into a code block directly on the page. My issue is that the code contains an API key that I want to keep secure, yet accessible. My strategy to keep this "simple" was to use the method described in this article to upload my file that runs the script which uses the API key, and then reference that file using <script src="/s/javascriptfile.js"></script> The biggest question is whether storing an API key in an uploaded file linked on a disabled page and then referencing that file is a secure way to access the API key without showing it to the world. The next question is do I really need to wait overnight for the references to uploaded files to work? That is one of the problems noted in the same article. Thanks! Link to comment
Beyondspace Posted June 16, 2020 Share Posted June 16, 2020 On 6/11/2020 at 1:40 AM, elderlyman said: I would like to make a fetch request from my squarespace site to a weather data provider. The code works fine when I write it into a code block directly on the page. My issue is that the code contains an API key that I want to keep secure, yet accessible. My strategy to keep this "simple" was to use the method described in this article to upload my file that runs the script which uses the API key, and then reference that file using <script src="/s/javascriptfile.js"></script> The biggest question is whether storing an API key in an uploaded file linked on a disabled page and then referencing that file is a secure way to access the API key without showing it to the world. The next question is do I really need to wait overnight for the references to uploaded files to work? That is one of the problems noted in the same article. Thanks! The file is included in the site is exposed to the world either you placed it on disable or not, you may need to use a external server to doing the fetch to hide the api token. Can choose between a shared hosting with PHP or VPS with nodejs or simplest form is used Google Apps script published url BeyondSpace - Squarespace Website Developer 🖼️ Lightbox Studio (Enable Pinch/Zoom on lightbox) 🗓️ Delivery Date Picker (Squarespace Date picker form field) 💫 Gallery block 7.1 workaround 🥳 Sparkplugin Customisations Browsers (Browse +100 Spark plugin customisations) 🥳 Elfsight Template Browsers (Browse +1000 Elfsight widget Templates) If you find my answer useful, let's leave a like or upvote so others with the same issue can find their solution. Thank you! Link to comment
elderlyman Posted June 17, 2020 Author Share Posted June 17, 2020 @bangank36 Thanks. Since you say it is the simplest option, I'll start experimenting with a Google Apps script on a published url. Are you sure that an API key listed in a script on a public URL would be safe? Link to comment
Beyondspace Posted June 17, 2020 Share Posted June 17, 2020 2 minutes ago, elderlyman said: @bangank36 Thanks. Since you say it is the simplest option, I'll start experimenting with a Google Apps script on a published url. Are you sure that an API key listed in a script on a public URL would be safe? If security is the most concern, better use shared host or vps for the api handling BeyondSpace - Squarespace Website Developer 🖼️ Lightbox Studio (Enable Pinch/Zoom on lightbox) 🗓️ Delivery Date Picker (Squarespace Date picker form field) 💫 Gallery block 7.1 workaround 🥳 Sparkplugin Customisations Browsers (Browse +100 Spark plugin customisations) 🥳 Elfsight Template Browsers (Browse +1000 Elfsight widget Templates) If you find my answer useful, let's leave a like or upvote so others with the same issue can find their solution. Thank you! Link to comment
paul2009 Posted June 17, 2020 Share Posted June 17, 2020 Short answer The short answer is that this is not possible on the Squarespace platform. Longer answer Web servers have two areas where code can be stored: The "back end". The back end is usually very secure and is where API keys should be stored. Website visitors cannot access this. This is where Squarespace stores approved API keys and code for secure payments. The "front end". Any content in the frontend is readable to anyone who can view the website, so if you store your API key here, everyone (with the skills) will be able to see it. API Keys should always be saved in the "back end". The Squarespace platform provides a secure location where approved API keys can be stored (in Settings > Advanced > External API Keys). This is great for approved APIs but as you do not have direct access to the "back end" there isn't a secure location where you can store non-approved API keys. In summary, on the Squarespace platform, there is not a way to make an API key accessible and, at the same time, protect it from public view. Adding a linked JS file won't help. About me: I've been a SQSP User for 18 yrs. I was invited to join the Circle when it launched in 2016. I have been a Circle Leader since 2017. I don't work for Squarespace. I value honesty, transparency, diversity and good design ♥. Work: I founded and run SF.DIGITAL, building Squarespace Extensions to supercharge your commerce website. Content: Views and opinions are my own. Links in my posts may refer to SF.DIGITAL products or may be affiliate links. Forum advice is free. You can thank me by clicking one of the feedback emojis below. Coffee is optional. Link to comment
elderlyman Posted June 17, 2020 Author Share Posted June 17, 2020 @paul2009 thanks for the thorough answer. I've been trying to balance a few goals: use a very simple code block (don't turn on dev mode), keep the API key secure as a best practice/to avoid quota theft, and avoid unnecessary complexities that might break. I can now see how, within the options of the code block or with file uploads, I'm still playing only in the front end. Even though I can't do exactly what I wanted, it's nice to have come to some conclusions about what my options are. Thanks! Link to comment
Recommended Posts
Archived
This topic is now archived and is closed to further replies.