问题
I might be missing something here, but since Branch.IO's Web SDK must run in a browser it exposes my BRANCH_KEY to the user. So what is stopping the user from opening up the source, finding the key and then initializing their own branch and abusing my account by sending SMS messages? Normally if I were worried about exposing an api key I would just handle the api request server side - but Branch.IO doesn't seem to have a Node/Server side SDK to use
EDIT: This is even worse than a malicious user spamming your pre-crafted text messages. I've managed to prove that a malicious user can change the redirect URL links in your text message SOLELY through using the PUBLIC KEY.
来源:https://stackoverflow.com/questions/61760936/what-stops-malicious-users-from-getting-my-branch-key-in-my-javascript-source-co