在客户端公开 Facebook 应用程序令牌是否不安全?
Is it insecure to expose Facebook app token in client side?
我的网站使 JS Facebook Graph API 请求像
https://graph.facebook.com/v2.2?id=http://[URL]&format=json&access_token=[FB app id]|[FB app token]
获取每个 post 的 Facebook 分享数。应用程序 ID 是我的 Facebook 应用程序 ID 号,应用程序令牌是一个持久的访问令牌。
这两个值都在客户端公开,尽管我的应用程序密码是私有的并且我在服务器端生成应用程序令牌。
这种做法不安全吗?我是否需要将这些请求移动到服务器端并创建我自己的端点来报告共享计数?
Facebook 的 documentation 有点令人困惑。它说:
Again, for security, app access token should never be hard-coded into client-side code, doing so would give everyone who loaded your webpage or decompiled your app full access to your app secret, and therefore the ability to modify your app. This implies that most of the time, you will be using app access tokens only in server to server calls.
Note that because this request uses your app secret, it must never be
made in client-side code or in an app binary that could be decompiled.
It is important that your app secret is never shared with anyone.
Therefore, this API call should only be made using server-side code.
我没有对应用程序访问令牌进行硬编码,而且我将我的应用程序保密。但是我在客户端到服务器调用中使用了应用程序令牌。我需要更改吗?
我认为文档(在https://developers.facebook.com/docs/facebook-login/access-tokens#apptokens)很清楚,你也引用了它们:
Again, for security, app access token should never be hard-coded into client-side code, doing so would give everyone who loaded your webpage or decompiled your app full access to your app secret, and therefore the ability to modify your app. This implies that most of the time, you will be using app access tokens only in server to server calls.
我想知道你怎么说它不是硬编码的...如果是这样,应用访问令牌是从哪里来的?
我的网站使 JS Facebook Graph API 请求像
https://graph.facebook.com/v2.2?id=http://[URL]&format=json&access_token=[FB app id]|[FB app token]
获取每个 post 的 Facebook 分享数。应用程序 ID 是我的 Facebook 应用程序 ID 号,应用程序令牌是一个持久的访问令牌。
这两个值都在客户端公开,尽管我的应用程序密码是私有的并且我在服务器端生成应用程序令牌。
这种做法不安全吗?我是否需要将这些请求移动到服务器端并创建我自己的端点来报告共享计数?
Facebook 的 documentation 有点令人困惑。它说:
Again, for security, app access token should never be hard-coded into client-side code, doing so would give everyone who loaded your webpage or decompiled your app full access to your app secret, and therefore the ability to modify your app. This implies that most of the time, you will be using app access tokens only in server to server calls.
Note that because this request uses your app secret, it must never be made in client-side code or in an app binary that could be decompiled. It is important that your app secret is never shared with anyone. Therefore, this API call should only be made using server-side code.
我没有对应用程序访问令牌进行硬编码,而且我将我的应用程序保密。但是我在客户端到服务器调用中使用了应用程序令牌。我需要更改吗?
我认为文档(在https://developers.facebook.com/docs/facebook-login/access-tokens#apptokens)很清楚,你也引用了它们:
Again, for security, app access token should never be hard-coded into client-side code, doing so would give everyone who loaded your webpage or decompiled your app full access to your app secret, and therefore the ability to modify your app. This implies that most of the time, you will be using app access tokens only in server to server calls.
我想知道你怎么说它不是硬编码的...如果是这样,应用访问令牌是从哪里来的?