Menu
Facebook's documentation says that we can initialise FB in our app by running the following code. The code is from the documentation but this also expects 'appId' to be passed as parameter.
Question: Is it really secure to have the 'appId' embedded in a single page application's client side Javascript code or should this be handled on the server side somehow ?
FB.init({
appId : '{your-app-id}',
status : true,
xfbml : true,
version : 'v2.4' // or v2.0, v2.1, v2.2, v2.3
});
Update: As @KK pointed out the documentation says app-secret. So I'm guessing it's safe to have app-id in the browser but I should keep the app-secret safe. When I check my facebook dashboard I can see I have two different ids for app-id and app-secret.
Even if I kept app-id on the server and redirected the user via the server, the app-id will still be visible to the user because the documentation here says that the redirect url is a GET request so all the parameters are visible anyway.
244
When you make a Facebook App, that app will have an App ID and an App Secret. With the App ID, you can send several requests to Facebook for data. The Facebook App Secret will be used to decode the encrypted messages from Facebook, so that sensitive information remains protected.
“Facebook is considered a prime target for hackers due to its large number of users, data and connected applications and platforms (e.g. Instagram, WhatsApp). Hackers tend to aim for users rather than the platform itself as they are the weakest link in the chain,” Fragkoulopoulos said.
Supported BrowsersThe Facebook SDK for JavaScript supports the latest two versions of the most popular browsers: Chrome, Firefox, Edge, Safari (including iOS), and Internet Explorer (version 11 only).
Is App Secret Embedded In the Client. If the Native or Desktop App toggle is set to Yes, then you will need to set this field. This restricts the app secret usage to methods allowed by a Client access token.
The App ID is perfectly safe to publish (it will be visible in the login process anyway), the App Secret on the other hand is called "Secret" for a reason. With App ID and App Secret, you would already have an App Access Token (App-ID|App-Secret). With an App Access Token, you would be able to change some App settings: https://developers.facebook.com/docs/graph-api/reference/application#Updating
To improve security, you should activate "Require App Secret" in the App settings and use appsecret_proof for server calls:
167
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
