Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
Advanced Search
  • 0
elderlyman

Hide an API key in file on a disabled page

Question

I would like to make a fetch request from my squarespace site to a weather data provider.  The code works fine when I write it into a code block directly on the page.  My issue is that the code contains an API key that I want to keep secure, yet accessible.

My strategy to keep this "simple" was to use the method described in this article to upload my file that runs the script which uses the API key, and then reference that file using 

<script src="/s/javascriptfile.js"></script>

The biggest question is whether storing an API key in an uploaded file linked on a disabled page and then referencing that file is a secure way to access the API key without showing it to the world.  

The next question is do I really need to wait overnight for the references to uploaded files to work? That is one of the problems noted in the same article.  

Thanks!

Share this post


Link to post

5 answers to this question

Recommended Posts

  • 2

Short answer
The short answer is that this is not possible on the Squarespace platform. 

Longer answer
Web servers have two areas where code can be stored:

  • The "back end". The back end is usually very secure and is where API keys should be stored. Website visitors cannot access this. This is where Squarespace stores approved API keys and code for secure payments.
  • The "front end". Any content in the frontend is readable to anyone who can view the website, so if you store your API key here, everyone (with the skills) will be able to see it.

API Keys should always be saved in the "back end". The Squarespace platform provides a secure location where approved API keys can be stored (in Settings > Advanced > External API Keys). This is great for approved APIs but as you do not have direct access to the "back end" there isn't a secure location where you can store non-approved API keys. In summary, on the Squarespace platform, there is not a way to make an API key accessible and, at the same time, protect it from public view. Adding a linked JS file won't help. 


sf-digital-signature-logo-email145.png.46606a2288a2847f44d81b9b7b58f3a5.png
Hi, I'm Paul, founder of SF Digital, a specialist company building the features that Squarespace didn't include. Explore our range of Squarespace Extensions on our website, including the Enquiry Form ExtensionDatepicker Extension and Age Verification Extension. Note that some links in my posts may be affiliate links. Book a Squarespace Expert when you need help.

Share this post


Link to post
  • 1
On 6/11/2020 at 1:40 AM, elderlyman said:

I would like to make a fetch request from my squarespace site to a weather data provider.  The code works fine when I write it into a code block directly on the page.  My issue is that the code contains an API key that I want to keep secure, yet accessible.

My strategy to keep this "simple" was to use the method described in this article to upload my file that runs the script which uses the API key, and then reference that file using 


<script src="/s/javascriptfile.js"></script>

The biggest question is whether storing an API key in an uploaded file linked on a disabled page and then referencing that file is a secure way to access the API key without showing it to the world.  

The next question is do I really need to wait overnight for the references to uploaded files to work? That is one of the problems noted in the same article.  

Thanks!

The file is included in the site is exposed to the world either you placed it on disable or not, you may need to use a external server to doing the fetch to hide the api token. Can choose between a shared hosting with PHP or VPS with nodejs or simplest form is used Google Apps script published url


I am frontend dev that provide solutions to enhance feature of squarespace.com can't provide, please check my profile for more details

--- To Space And Beyond! ---

https://www.freelancer.com/u/BaNgan

Share this post


Link to post
  • 1
2 minutes ago, elderlyman said:

@bangank36 Thanks.  Since you say it is the simplest option, I'll start experimenting with  a Google Apps script on a published url.  Are you sure that an API key listed in a script on a public URL would be safe? 

If security is the most concern, better use shared host or vps for the api handling


I am frontend dev that provide solutions to enhance feature of squarespace.com can't provide, please check my profile for more details

--- To Space And Beyond! ---

https://www.freelancer.com/u/BaNgan

Share this post


Link to post
  • 0

@bangank36 Thanks.  Since you say it is the simplest option, I'll start experimenting with  a Google Apps script on a published url.  Are you sure that an API key listed in a script on a public URL would be safe? 

Share this post


Link to post
  • 0

@paul2009 thanks for the thorough answer.  I've been trying to balance a few goals: use a very simple code block (don't turn on dev mode), keep the API key secure as a best practice/to avoid quota theft, and avoid unnecessary complexities that might break.  I can now see how, within the options of the code block or with file uploads, I'm still playing only in the front end. 

Even though I can't do exactly what I wanted, it's nice to have come to some conclusions about what my options are.  

Thanks! 

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment


×
×
  • Create New...