When requesting $.getJSON to VK API to publish a message on a group wall, Firebug displays a piece of code in which both the token and the group number and the transmitted message are lit. That is, anyone who receives my token will be able to perform a similar request (add a message to the group or, on the contrary, delete it, because the permissions allow it). How can you protect yourself from this. Reducing the token's lifetime is not appropriate, since he must remain eternal.

 <script type="text/javascript"> $.getJSON('https://api.vk.com/method/wall.post?owner_id=-69173875&from_group=1&message=<?php echo(urldecode($message)); ?>&access_token=TOKEN&v=5.16&callback=?', function(resp){ }) .done(function( resp ) { if (resp.response!=undefined) console.log( "JSON Data: " + resp.response.post_id ); else console.log("error"); }); </script>

Moreover, messages are sent both from the site and from localhost , which means binding my site to a standalone application only makes sense when a token is received, and if the token is already recorded (somewhere in the database), then how is it safe to transfer?

  • one
    1. How will he get it? 2. The token is always transmitted in the form open to the server. This is a condition for customer identification. - etki
  • Fike is right, access_token is generated for a specific IP address and its lifetime is relatively short. It is for this purpose generated not to shine logins and passwords of users - vanchester
  • Found a solution .. Make a request through Curl - LANSELOT
  • https for you safely passes it .. and where does the curl? - Dmitry V.

0