elderlyman Posted June 10, 2020 Share Posted June 10, 2020 I would like to make a fetch request from my squarespace site to a weather data provider. The code works fine when I write it into a code block directly on the page. My issue is that the code contains an API key that I want to keep secure, yet accessible. My strategy to keep this "simple" was to use the method described in this article to upload my file that runs the script which uses the API key, and then reference that file using <script src="/s/javascriptfile.js"></script> The biggest question is whether storing an API key in an uploaded file linked on a disabled page and then referencing that file is a secure way to access the API key without showing it to the world. The next question is do I really need to wait overnight for the references to uploaded files to work? That is one of the problems noted in the same article. Thanks! Link to comment
Beyondspace Posted June 16, 2020 Share Posted June 16, 2020 On 6/11/2020 at 1:40 AM, elderlyman said: I would like to make a fetch request from my squarespace site to a weather data provider. The code works fine when I write it into a code block directly on the page. My issue is that the code contains an API key that I want to keep secure, yet accessible. My strategy to keep this "simple" was to use the method described in this article to upload my file that runs the script which uses the API key, and then reference that file using <script src="/s/javascriptfile.js"></script> The biggest question is whether storing an API key in an uploaded file linked on a disabled page and then referencing that file is a secure way to access the API key without showing it to the world. The next question is do I really need to wait overnight for the references to uploaded files to work? That is one of the problems noted in the same article. Thanks! The file is included in the site is exposed to the world either you placed it on disable or not, you may need to use a external server to doing the fetch to hide the api token. Can choose between a shared hosting with PHP or VPS with nodejs or simplest form is used Google Apps script published url BeyondSpace - Squarespace Website Developer 🖼️ Lightbox Studio (Enable Pinch/Zoom on lightbox, video lightbox and much more) 🗓️ Delivery Date Picker (Squarespace Date picker form field) 💫 Gallery block 7.1 workaround 🥳 No-code customisations for Squarespace (+100 Spark plugin customisations) 🥳 Freemium Squarespace Widget Templates (+1000 Elfsight Templates) If you find my answer useful, let's leave a like or upvote so others with the same issue can find their solution. Thank you! Link to comment
elderlyman Posted June 17, 2020 Author Share Posted June 17, 2020 @bangank36 Thanks. Since you say it is the simplest option, I'll start experimenting with a Google Apps script on a published url. Are you sure that an API key listed in a script on a public URL would be safe? Link to comment
Beyondspace Posted June 17, 2020 Share Posted June 17, 2020 2 minutes ago, elderlyman said: @bangank36 Thanks. Since you say it is the simplest option, I'll start experimenting with a Google Apps script on a published url. Are you sure that an API key listed in a script on a public URL would be safe? If security is the most concern, better use shared host or vps for the api handling BeyondSpace - Squarespace Website Developer 🖼️ Lightbox Studio (Enable Pinch/Zoom on lightbox, video lightbox and much more) 🗓️ Delivery Date Picker (Squarespace Date picker form field) 💫 Gallery block 7.1 workaround 🥳 No-code customisations for Squarespace (+100 Spark plugin customisations) 🥳 Freemium Squarespace Widget Templates (+1000 Elfsight Templates) If you find my answer useful, let's leave a like or upvote so others with the same issue can find their solution. Thank you! Link to comment
paul2009 Posted June 17, 2020 Share Posted June 17, 2020 Short answer The short answer is that this is not possible on the Squarespace platform. Longer answer Web servers have two areas where code can be stored: The "back end". The back end is usually very secure and is where API keys should be stored. Website visitors cannot access this. This is where Squarespace stores approved API keys and code for secure payments. The "front end". Any content in the frontend is readable to anyone who can view the website, so if you store your API key here, everyone (with the skills) will be able to see it. API Keys should always be saved in the "back end". The Squarespace platform provides a secure location where approved API keys can be stored (in Settings > Advanced > External API Keys). This is great for approved APIs but as you do not have direct access to the "back end" there isn't a secure location where you can store non-approved API keys. In summary, on the Squarespace platform, there is not a way to make an API key accessible and, at the same time, protect it from public view. Adding a linked JS file won't help. Me: I'm Paul, a SQSP user for >18 yrs & Circle Leader since 2017. I value honesty, transparency, diversity and good design ♥. Work: Founder of SF.DIGITAL. We provide high quality original extensions to supercharge your Squarespace website. Content: Views and opinions are my own. Links in my posts may refer to my own SF.DIGITAL products or may be affiliate links. Forum advice is completely free. You can thank me by selecting a feedback emoji. Buying a coffee is generous but optional. Would you like your customers to be able to mark their favourite products in your Squarespace store? Link to comment
elderlyman Posted June 17, 2020 Author Share Posted June 17, 2020 @paul2009 thanks for the thorough answer. I've been trying to balance a few goals: use a very simple code block (don't turn on dev mode), keep the API key secure as a best practice/to avoid quota theft, and avoid unnecessary complexities that might break. I can now see how, within the options of the code block or with file uploads, I'm still playing only in the front end. Even though I can't do exactly what I wanted, it's nice to have come to some conclusions about what my options are. Thanks! Link to comment
Recommended Posts
Archived
This topic is now archived and is closed to further replies.