views:

44

answers:

2

I have a form which is posted to an external API. There is a parameter called customer_token which is passed as an input field. It is used for authentication by the API and every customer is assigned one token. The input field is visible in Firefox's Firebug (even though it is a hidden field).

How do I hide it?

Options *Using javascript as I thought initially*

I think using javascript to create that input field at the run time before submitting the form and immediately removing the field will work but still the field will appear momentarily. So, even if a person can't manually get it, I am afraid that a crawler or spider (I don't know the exact term - but some automated script) may get the customer token. Is there a better solution for this? After form submission, the same form remains displayed.

Using one-time token concept as suggested by Ikke

I am not sure how it will work? The API needs the correct customer token value to process any request. So, even to generate a one-time token and return, a request with the customer token has to be sent. This way anyone is able to see my customer token value and they can also send a request to get a one-time token and use it. So how does it solve the problem?

Resolved Check http://stackoverflow.com/questions/3590422/how-to-post-form-to-my-server-and-then-to-api-instead-of-posting-directlyfor-se Thanks, Sandeepan

A: 

Hi, I don't think this is possible I'm afraid.

Firebug will still see the element if it's inserted via Javascript, as it watches the DOM tree. If this input exposes a security vulnerability then it's the job of your server-side code to validate/fix it.

More details on the API might help somebody answer this question in more detail.

I hope this helps

Rowan
the API needs the customer token to be passed as an input field
sandeepan
Is the customer token always the same? And where does the token come from?
Rowan
Yes currently it is the same. It is some hash of the customer's domain name
sandeepan
+3  A: 

This is not possible. Firebug just reads the DOM in it's actual state, so even if it's added in a later stage, it can still be retrieved.

This way of security is called Security through obscurity and is a kind of non-security. You would have to solve it another way, like letting the server do the request in stead.

You let the user submit the form to the server. Then with curl, you make the call to the webservice with the correct user code.

Ikke
How will the one-time token work? If you can explain a little. The API needs the correct customer token value to process any request. So, even to generate a one-time token and return, a request with the customer token has to be sent. This way anyone is able to see my customer token value and they can also send a request to get a one-time token and use it. So how does it solve the problem?
sandeepan
Is the request directly being sent to the api, or first to your server or something?
Ikke
The request is directly sent to the API. How to follow the approach of sending request first to my server and then to API? Sending request to my server is fine. But, how to post request from my server to the API? Please explain me, I think this is going towards the solution.Thanks,Sandeepan
sandeepan
with a library like curl, you can make external http requests.
Ikke