application-id and secret-key appear in request header


I am using Ionic with backendless javascript sdk, my question is if to run the app you should set Domain Control to * because the app didn’t have domain or IP, correct me if i am wrong.

if any one can catch the request using tools like “charles proxy” he can get the application-id and secret-key appear in the request header.

is there anyway to handle this?


Security of an app powered by Backendless is not about hiding your app id and secret key. There is no way to hide them in a JavaScript app anyway. The key to properly securing your app is applying security policy using roles and permissions for your tables, users, objects and files.


even if you are using native mobile app, if anyone can catch the request headers using tools like “charles proxy” he can using the same API with key and secret. i will do more research about it and i will add my suggestion if i found anything will help. btw great work thanks all :slight_smile:

My point is this: hiding your secret key is NOT the way to secure your app. Yes, anyone can get your key using Charles, that is exactly the reason why you should secure your app using Backendless roles and permissions.