HTTP Header authentication bearer not encoded

Hello,
I just noticed that the API key is included in the web page code (anybody could hack our backend) and cannot be encrypted (is this meant by encode?). I can encode the Get Record and Update Record URL placeholders. This is a critical issue. How can I make my app safe?
Thanks for answering this soon.
Kind regards,
Bert

By chance I found a similar question (there’s no solution so far): Ninox Database - Thread / Optain Bearer-Token Client-Side?

I found a possible solution: Pipedream. But I’m not familiar enough with this tool to create a working workflow. Any expert out there? I would also pay for assistance.

I am afraid you are mixing things up here.

  • including the API-key in the url is standard and thereby accessible by anybody. The API-key is not meant to secure data.
  • ā€œencodingā€ is not anything similar to encryption. You can find the information e.g. on wikipedia here: Percent-encoding - Wikipedia
  • securing your data needs to be done in your backend configuration by setting the ā€˜security rules’. In case you are using firebase for the backend, you can read about its security rules here: Firebase Security Rules Ā |Ā  Firebase Documentation
  • Passing the bearer-token in the header of a http request will identify the user. If this is required to retriebe data depends on the ā€˜security rules’ of your server.
1 Like

Hi,
Thanks Pipedream I could resolve the issues in the meantime. I also found the definition for ā€œencodingā€ in the meantime and could apply it. Of course I could have used basic authentication (user name/password) but for our purpose this would be too complicated and isn’t required either.
Kind regars,
Bert

@Bertrand_Gillert Sounds like you got the answer but if you want more info on security in your apps, we have a general primer on the topic :slight_smile: