I'm building an application to send cart to my trello board, but I don't want for users to accept application (for this they must have trello account) instead I created another account ('slave account') and give it read,write permission to my board and generate read,write token that never expires.
On my webpage I include core.js
https://api.trello.com/1/client.js?key=[appkey]&token=[token]
Everything works but... if user checks my code he can see my "app key" and "token".
So my question is:
1. Is this a security problem - visitor can take this app key/token and access bord? (I believe it is)
2. How do I change my code so that visitor of the page doesn't see my app key/token?
thx
Trello provides a secure experience for customers by keeping their security systems up to date with the best practices. The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard that organizations must adhere to when handling credit card and debit card information.
While enterprise-level accounts have some more options around access and permissions, all Trello users have the same security. There are a lot of ways to hack an account and a lot of ways to gain access to private stuff. All we can really tell you here is that Trello is hack-resistant, like most other web services.
Trello uses industry standard Transport Layer Security (“TLS”) to create a secure connection using 128-bit Advanced Encryption Standard (“AES”) encryption. This includes all data sent between the web, desktop, iOS, and Android apps and the Trello servers. There is no non-TLS option for connecting to Trello.
Trello is committed to compliance with the General Data Protection Regulation ( GDPR). The regulation contains the most significant changes to European data privacy legislation in the last 20 years.
If you are making you token available to people, then yes, there is a potential security issue there - with the key and token, they can issue requests as you for any permissions you have granted on that token. So if you want to create a token with write access to the board, you probably want to keep that on the server side, and have your Javascript submit to your server, which then in turn relays that to the Trello site using the token you generated.
If you are worried that you have revealed a token you did not want to, you can invalidate it at the bottom of your account page at https://trello.com/your/account.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With