During the meeting, the State Changers extensively discussed the issues related to the use of API keys and how to ensure their security in applications and websites. The problem of API keys being insecure, if sent to the front-end of a website or an application, was emphasized. It was further explained that this was especially true for no-code tools built on FlutterFlow or React Native, which use JavaScript or Dart. The inherent insecurity is due to these being text files containing the code, which can be scanned for secrets or API keys, often used maliciously.
The solution proposed was to store API keys securely in a controlled vault, like Xano's backend or Make’s platform, where unauthorized users or external entities cannot access them. The front end would then make a call to the backend, which makes call to their backend to manage the API keys securely. This way, instead of sending the secret key to the front-end, it is kept in the backend. Furthermore, the method of using cookies or local storage to authenticate requests was explained. By using access tokens, typically provided through Xano or Firebase for the backend, a serverless function or a Xano endpoint can be used to handle the second request. The concept of eliminating the middleman was also discussed, where companies like Google Analytics use a tag and a cookie stored locally on the machine. This method is per user and transient, hence providing higher security for the transaction. The meeting ended with an interaction regarding the role of user consent for cookies in this process. Concludingly, if done correctly, declining to accept cookies should prevent the website from sending API keys to its servers. Relevant keywords found in the transcript include Xano, FlutterFlow, Make, Firebase, React, and Javascript.
(Source: Office Hours 2/23 )
