HTTP Header authentication bearer not encoded

I just noticed that the API key is included in the web page code (anybody could hack our backend) and cannot be encrypted (is this meant by encode?). I can encode the Get Record and Update Record URL placeholders. This is a critical issue. How can I make my app safe?
Thanks for answering this soon.
Kind regards,

By chance I found a similar question (there’s no solution so far): Ninox Database - Thread / Optain Bearer-Token Client-Side?

I found a possible solution: Pipedream. But I’m not familiar enough with this tool to create a working workflow. Any expert out there? I would also pay for assistance.

I am afraid you are mixing things up here.

  • including the API-key in the url is standard and thereby accessible by anybody. The API-key is not meant to secure data.
  • “encoding” is not anything similar to encryption. You can find the information e.g. on wikipedia here: Percent-encoding - Wikipedia
  • securing your data needs to be done in your backend configuration by setting the ‘security rules’. In case you are using firebase for the backend, you can read about its security rules here: Firebase Security Rules  |  Firebase Documentation
  • Passing the bearer-token in the header of a http request will identify the user. If this is required to retriebe data depends on the ‘security rules’ of your server.
1 Like

Thanks Pipedream I could resolve the issues in the meantime. I also found the definition for “encoding” in the meantime and could apply it. Of course I could have used basic authentication (user name/password) but for our purpose this would be too complicated and isn’t required either.
Kind regars,

@Bertrand_Gillert Sounds like you got the answer but if you want more info on security in your apps, we have a general primer on the topic :slight_smile: