Is it safe to have facebook App ID embedded in the UI javascript code?

Question

Facebook\'s documentation says that we can initialise FB in our app by running the following code. The code is from the documentation but this also expects \'appId\'

Answer 1

The App ID is perfectly safe to publish (it will be visible in the login process anyway), the App Secret on the other hand is called "Secret" for a reason. With App ID and App Secret, you would already have an App Access Token (App-ID|App-Secret). With an App Access Token, you would be able to change some App settings: https://developers.facebook.com/docs/graph-api/reference/application#Updating

To improve security, you should activate "Require App Secret" in the App settings and use appsecret_proof for server calls:

• Settings: https://developers.facebook.com/apps/[app-id]/settings/advanced/
• Securing API calls: https://developers.facebook.com/docs/graph-api/securing-requests
• General information: https://developers.facebook.com/docs/facebook-login/security