Are API tokens safe inside a Flux (Redux) store?

About

Asked 22/9, 2015 at 16:52 Answered 22/9, 2015 at 17:5

Would it be safe to store an API token returned by an authentication call in a Flux (specifically, Redux) store? I've used Webpack to compile all assets in the project, which I believe means the store is scoped out of reach from third-party scripts looking to read the store and extract the token.

And, for what it's worth, the token is sent over HTTPS in an Authorization: bearer ... header.

Boughton answered 22/9, 2015 at 16:52 Comment(2)

Absolutely not. At least not unless it's okay for your API key to be viewed by anyone. Anyone can access the data in clientside JS at any time (eg: chrome dev tools). – Hairy 22/9, 2015 at 18:3

Read this; #20963773 – Crypto 22/9, 2015 at 20:3

If untrusted 3rd party scripts are running on the page, then you should assume that nothing is safe as the entire integrity of the page is compromised.

If only trusted scripts are running, then you can assume your token is safe, subject to the security of the browser and how secure your site is against XSS attacks.

EDIT:

To clarify, this is safety from 3rd party scripts. If you are trying to hide your token from the user themselves then the answer is that it will always be insecure, no matter how much you obfuscate your code since if the user's machine has access to it, then ultimately the user can have access to it (you can make it more difficult, but not impossible).

Despondent answered 22/9, 2015 at 17:5 Comment(1)

@Boughton I'd like to add to this that nothing stored in JS should ever be assumed to be secure, because any script with access to your page could in theory be given access to the script/scope. I agree with Trevor; this really boils down to how well you trust the scripts running on your page. – Unsheathe 22/9, 2015 at 17:50

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags