问题
Recently I have created a Steam app, using the Steam API, which requires the Steam Key to use to any large extent. My application is written completely using client-side JavaScript and needs to have the key put in there somehow. However Steam forbids the user from posting his API in a public place, and I believe that the source code is public.
Is there anyway of encoding it, so there is no way to get the normal key, yet still keep the functionality of putting it in a call to a website (for example www.example.com/?api=key).
An example I have been looking at is encoding it into base 64, but I'm not sure if this fulfills the privacy required. The code for this is:
alert(btoa("key"));
After that I paste in the alert message I got in an example of
var api=atob("key");
This hides the key from plain site, but it can be easily decoded using something like
alert(atob("key"));
Is there a library I can use, or some way that does not need server side JavaScript (such as node.js) to do this.
回答1:
As many of the comments are pointing out, there is no way to make anything secure as soon as it's been in the client and the Server is expected to trust the client.
In your example, particularly, with the function aTob and bToa what you are creating is particularly creating a new APIKEY that behaves to the original APIKEY as as APIKEY' which ends up being insecure.
The solution of this is to put the code and the APIKEY exclusively from the manipulation of the user. This is a secret and as such should be kept as secure and "hidden" as possible.
来源:https://stackoverflow.com/questions/25371305/steam-api-key-in-client-side-javascript