Securing secret key in frontend JavaScript code

I don’t like the idea of exposing my app’s secret key in the browser. It’s typically not a good idea to do this in JS code. Is it somehow safe for JS devs to do this with Backendless? What security measures is Backendless doing that makes this safe?


Hi Darren,

We believe it is safe if the secret key is accessible/visible in your JS code. First, Backendless gives you control of the CORS policy, where you can specify the authorized domains where you app is loaded from (see the Manage > App Settings > Domain Control section in the console.). Additionally, the JS key cannot be used with the REST requests. Finally, if your application requires user login, you can secure the data with built-in (or custom) user roles, thus only authenticated users would be able to access their data.



    Why call it secret if it is by design incorporated in clear into public code?
    How does CORS help in this situation? (don’t we want access from anywhere)
    More broadly, what is the function of the secret key in a JS context?