Discussions
Categories
- 197K All Categories
- 2.5K Data
- 546 Big Data Appliance
- 1.9K Data Science
- 450.8K Databases
- 221.9K General Database Discussions
- 3.8K Java and JavaScript in the Database
- 31 Multilingual Engine
- 552 MySQL Community Space
- 479 NoSQL Database
- 7.9K Oracle Database Express Edition (XE)
- 3.1K ORDS, SODA & JSON in the Database
- 556 SQLcl
- 4K SQL Developer Data Modeler
- 187.2K SQL & PL/SQL
- 21.4K SQL Developer
- 296.4K Development
- 17 Developer Projects
- 139 Programming Languages
- 293.1K Development Tools
- 111 DevOps
- 3.1K QA/Testing
- 646.1K Java
- 28 Java Learning Subscription
- 37K Database Connectivity
- 161 Java Community Process
- 105 Java 25
- 22.1K Java APIs
- 138.2K Java Development Tools
- 165.3K Java EE (Java Enterprise Edition)
- 19 Java Essentials
- 162 Java 8 Questions
- 86K Java Programming
- 81 Java Puzzle Ball
- 65.1K New To Java
- 1.7K Training / Learning / Certification
- 13.8K Java HotSpot Virtual Machine
- 94.3K Java SE
- 13.8K Java Security
- 205 Java User Groups
- 24 JavaScript - Nashorn
- Programs
- 475 LiveLabs
- 39 Workshops
- 10.2K Software
- 6.7K Berkeley DB Family
- 3.5K JHeadstart
- 5.7K Other Languages
- 2.3K Chinese
- 175 Deutsche Oracle Community
- 1.1K Español
- 1.9K Japanese
- 233 Portuguese
Hide API_KEY in Plugin JS Code
Hi,
I created a Dynamic Plugin to get JSON DATA from an external URL. All is working fine. Unfortunately the URL to get the data contains the API_Key to access this API and every user of my application can see this URL with API_KEY in the Browser developer tools. I have to avoid that.
I thought I can switch to PL/SQL and get the data via "apex_web_service.make_rest_request" but that doesn't work because of the server certificate is not in the Oracle wallet.
Is there another way to hide the API_KEY and not adding the SSL certificate into the wallet?
Thanks,
Carsten
Answers
-
If your code requiring the key is run by a web browser, the web browser needs to know the key.
The alternative is to execute the code on trusted server-side platform. Be that on the database or a NodeJS server.
As for not wanting to use SSL - nonsensical to now transmit the secret key over unencrypted HTTP should the web service support this.
