Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is it safe to have facebook App ID embedded in the UI javascript code?

Facebook's documentation says that we can initialise FB in our app by running the following code. The code is from the documentation but this also expects 'appId' to be passed as parameter.

Question: Is it really secure to have the 'appId' embedded in a single page application's client side Javascript code or should this be handled on the server side somehow ?

FB.init({
    appId      : '{your-app-id}',
    status     : true,
    xfbml      : true,
    version    : 'v2.4' // or v2.0, v2.1, v2.2, v2.3
  });

Update: As @KK pointed out the documentation says app-secret. So I'm guessing it's safe to have app-id in the browser but I should keep the app-secret safe. When I check my facebook dashboard I can see I have two different ids for app-id and app-secret.

Even if I kept app-id on the server and redirected the user via the server, the app-id will still be visible to the user because the documentation here says that the redirect url is a GET request so all the parameters are visible anyway.

like image 244
user794783 Avatar asked Feb 15 '16 06:02

user794783


People also ask

Is Facebook app ID a secret?

When you make a Facebook App, that app will have an App ID and an App Secret. With the App ID, you can send several requests to Facebook for data. The Facebook App Secret will be used to decode the encrypted messages from Facebook, so that sensitive information remains protected.

Is Facebook app secure?

“Facebook is considered a prime target for hackers due to its large number of users, data and connected applications and platforms (e.g. Instagram, WhatsApp). Hackers tend to aim for users rather than the platform itself as they are the weakest link in the chain,” Fragkoulopoulos said.

Does Facebook run on JavaScript?

Supported BrowsersThe Facebook SDK for JavaScript supports the latest two versions of the most popular browsers: Chrome, Firefox, Edge, Safari (including iOS), and Internet Explorer (version 11 only).

Is app secret embedded in the client?

Is App Secret Embedded In the Client. If the Native or Desktop App toggle is set to Yes, then you will need to set this field. This restricts the app secret usage to methods allowed by a Client access token.


1 Answers

The App ID is perfectly safe to publish (it will be visible in the login process anyway), the App Secret on the other hand is called "Secret" for a reason. With App ID and App Secret, you would already have an App Access Token (App-ID|App-Secret). With an App Access Token, you would be able to change some App settings: https://developers.facebook.com/docs/graph-api/reference/application#Updating

To improve security, you should activate "Require App Secret" in the App settings and use appsecret_proof for server calls:

  • Settings: https://developers.facebook.com/apps/[app-id]/settings/advanced/
  • Securing API calls: https://developers.facebook.com/docs/graph-api/securing-requests
  • General information: https://developers.facebook.com/docs/facebook-login/security
like image 167
andyrandy Avatar answered Nov 06 '22 23:11

andyrandy