Jump to content

Hide an API key in file on a disabled page

By elderlyman, in Customize with code

Go to solution Solved by paul2009,

Recommended Posts

elderlyman Level 4

elderlyman

Posted
Posted

I would like to make a fetch request from my squarespace site to a weather data provider.  The code works fine when I write it into a code block directly on the page.  My issue is that the code contains an API key that I want to keep secure, yet accessible.

My strategy to keep this "simple" was to use the method described in this article to upload my file that runs the script which uses the API key, and then reference that file using  

<script src="/s/javascriptfile.js"></script>

The biggest question is whether storing an API key in an uploaded file linked on a disabled page and then referencing that file is a secure way to access the API key without showing it to the world.  

The next question is do I really need to wait overnight for the references to uploaded files to work? That is one of the problems noted in the same article.  

Thanks!

Link to comment
  • Replies 5
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

elderlyman
elderlyman

@paul2009 thanks for the thorough answer.  I've been trying to balance a few goals: use a very simple code block (don't turn on dev mode), keep the API key secure as a best practice/to avoid quota the

Beyondspace Level 14

Beyondspace

Posted
Posted
On 6/11/2020 at 1:40 AM, elderlyman said:

I would like to make a fetch request from my squarespace site to a weather data provider.  The code works fine when I write it into a code block directly on the page.  My issue is that the code contains an API key that I want to keep secure, yet accessible.

My strategy to keep this "simple" was to use the method described in this article to upload my file that runs the script which uses the API key, and then reference that file using  


<script src="/s/javascriptfile.js"></script>

The biggest question is whether storing an API key in an uploaded file linked on a disabled page and then referencing that file is a secure way to access the API key without showing it to the world.  

The next question is do I really need to wait overnight for the references to uploaded files to work? That is one of the problems noted in the same article.  

Thanks!

The file is included in the site is exposed to the world either you placed it on disable or not, you may need to use a external server to doing the fetch to hide the api token. Can choose between a shared hosting with PHP or VPS with nodejs or simplest form is used Google Apps script published url

Greeting, it's BeyondSpace, I am Squarespace dev focus on provide solutions to enhance feature that squarespace.com can't provide.
Feel free to check my current Squarespace Plugins Developement: Enable Pinch/Zoom on lightbox, Delivery Date Picker, Lightbox Studio plugin
If you find my answer fit your need, let's leave a like or upvote so others with the same issue can find their solution. Thank you

Link to comment
Beyondspace Level 14

Beyondspace

Posted
Posted
2 minutes ago, elderlyman said:

@bangank36 Thanks.  Since you say it is the simplest option, I'll start experimenting with  a Google Apps script on a published url.  Are you sure that an API key listed in a script on a public URL would be safe? 

If security is the most concern, better use shared host or vps for the api handling

Greeting, it's BeyondSpace, I am Squarespace dev focus on provide solutions to enhance feature that squarespace.com can't provide.
Feel free to check my current Squarespace Plugins Developement: Enable Pinch/Zoom on lightbox, Delivery Date Picker, Lightbox Studio plugin
If you find my answer fit your need, let's leave a like or upvote so others with the same issue can find their solution. Thank you

Link to comment
  • Solution
paul2009 Level 17

paul2009

Posted
  • Solution
Posted

Short answer
The short answer is that this is not possible on the Squarespace platform. 

Longer answer
Web servers have two areas where code can be stored:

  • The "back end". The back end is usually very secure and is where API keys should be stored. Website visitors cannot access this. This is where Squarespace stores approved API keys and code for secure payments.
  • The "front end". Any content in the frontend is readable to anyone who can view the website, so if you store your API key here, everyone (with the skills) will be able to see it.

API Keys should always be saved in the "back end". The Squarespace platform provides a secure location where approved API keys can be stored (in Settings > Advanced > External API Keys). This is great for approved APIs but as you do not have direct access to the "back end" there isn't a secure location where you can store non-approved API keys. In summary, on the Squarespace platform, there is not a way to make an API key accessible and, at the same time, protect it from public view. Adding a linked JS file won't help. 

Improve your online store with our extensions.
About: Squarespace Circle Leader since 2017. I value honesty, transparency, appreciation and great design ♥.
Work: Squarespace Developer and founder of SF Digital, building the features Squarespace didn't include™.
Content: Links in my posts may refer to SF Digital products or may be affiliate links.
Catch up on all the release notes and announcements 2023 [for Circle members only] (there's a public version here)
Buy me a coffee

Link to comment
elderlyman Level 4

elderlyman

Posted
  • Author
Posted

@paul2009 thanks for the thorough answer.  I've been trying to balance a few goals: use a very simple code block (don't turn on dev mode), keep the API key secure as a best practice/to avoid quota theft, and avoid unnecessary complexities that might break.  I can now see how, within the options of the code block or with file uploads, I'm still playing only in the front end. 

Even though I can't do exactly what I wanted, it's nice to have come to some conclusions about what my options are.  

Thanks! 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Sign Up / Login
Go to topic listing

News

×
×
  • Create New...

Squarespace Webinars

Free online sessions where you’ll learn the basics and refine your Squarespace skills.

Upcoming Webinars →

Hire a Designer

Stand out online with the help of an experienced designer or developer.

Get Matched →

Support

Community

Developers

Resources