Forum Discussion

JakeHurt's avatar
JakeHurt
Community Member
3 months ago

Protecting Sensitive Data inside Storyline

Hi,

We've been creating some pretty great things using Javascript and APIs in Storyline, but we would like to be able to secure some of that information - e.g. API Keys and the Javascript code. To prevent unnecessary editing or leaking of this information.

Is there a way we can allow people access to the story file, but restrict access to the javascript?

Thanks

  • You can minimize your JavaScript, and you can obfuscate it, but since it runs on the client you can't really do more than make it inconvenient for a user to view it. Most of whatever you might do can be undone well enough to piece it back together if someone is determined. If you were to place your sensitive information into a server-side script (like PHP) that remains hidden from the client, then that would provide protection but any JavaScript will be exposed.

    • JakeHurt's avatar
      JakeHurt
      Community Member

      What do you mean by minimizing the Javascript?
      I do understand, I did think that might be the case that its always gonna be able to be seen.
      I need to figure out how to hide API keys though.

      • Nathan_Hilliard's avatar
        Nathan_Hilliard
        Community Member

        Minimizing compacts he code (runs everthing together, saving space and making it hard to read). Obsfucating makes it extra hard to read.  See this for additional detail.

        If you don't want someone to gain access to your keys, passwords, or whatever, they should not go into your JavaScript. Even if you try to mask it, if someone realizes the information is there (for example, by poking around your files or looking at the browser inspector), then it is not difficult to gain full access to that data.

  • Seb-Daubert's avatar
    Seb-Daubert
    Community Member

    Hi, using a js obfuscator as Nathan says is a good idea, it doesn't prevent reverse engineering but it's a good start, the api key can be stored directly in a Storyline variable and called by javascript, encoding the api key in base 64 or with another method can also be an idea.
    In any case, it limits the users likely to find the API key...