I don’t like the idea of exposing my app’s secret key in the browser. It’s typically not a good idea to do this in JS code. Is it somehow safe for JS devs to do this with Backendless? What security measures is Backendless doing that makes this safe?
Thanks,
-Darren
Hi Darren,
We believe it is safe if the secret key is accessible/visible in your JS code. First, Backendless gives you control of the CORS policy, where you can specify the authorized domains where you app is loaded from (see the Manage > App Settings > Domain Control section in the console.). Additionally, the JS key cannot be used with the REST requests. Finally, if your application requires user login, you can secure the data with built-in (or custom) user roles, thus only authenticated users would be able to access their data.
Regards,
Mark