Is it safe to have facebook App ID embedded in the UI javascript code?

Question

Facebook\'s documentation says that we can initialise FB in our app by running the following code. The code is from the documentation but this also expects \'appId\'

Answer 1

It is secure to embed appId in client side JS code, why because appId doesn't convey any information about your app/FB profile to anyone who doesn't know your FB username and password. Look at the url https://developers.facebook.com/apps/{your-app-id}/, If you insert your appid and paste the url in the browser, it will redirect to the FB login page. But do not include App_secret in your application. Check the Link for more information.

Answer 2

The App ID is perfectly safe to publish (it will be visible in the login process anyway), the App Secret on the other hand is called "Secret" for a reason. With App ID and App Secret, you would already have an App Access Token (App-ID|App-Secret). With an App Access Token, you would be able to change some App settings: https://developers.facebook.com/docs/graph-api/reference/application#Updating

To improve security, you should activate "Require App Secret" in the App settings and use appsecret_proof for server calls:

• Settings: https://developers.facebook.com/apps/[app-id]/settings/advanced/
• Securing API calls: https://developers.facebook.com/docs/graph-api/securing-requests
• General information: https://developers.facebook.com/docs/facebook-login/security