Api token visible in inspect tools

  • Resolved ROCK Design B.V.

    (@rockdesign)


    1 year, 9 months ago

    Hi,

    We are using the plugin with great joy. But we found a big security issue (in our opinion). When inspecting the start page of the plugin you can view the api key (global key and api tokens) with inspect tools.

    Is there a way to hide this from the source code or to protect it?

    With kind regards,

    Marco

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Support Stefan Cotitosu

    (@stefancotitosu)

    Hi @rockdesign,

    Thank you for using Super Page Cache and for reporting this. I asked internally so the development team can analyze the case and address the problem in a future version.

    Regards,
    Stefan

    Plugin Contributor iSaumya

    (@isaumya)

    Hi @rockdesign,
    Thanks for reporting this. Can you try out this build and confirm if you are still able to see your real API Key or Token? Now you are supposed to see garbage text when doing inspect element and not the actual keys.

    Plugin Contributor iSaumya

    (@isaumya)

    Hi @rockdesign,
    Unfortunately, I had to revert that patch as it will create numerous issues across the plugin. Basically, if we change the API Key or Token with garbage data, it will pass that garbage data to Cloudflare API which will lead to failing all requests.

    I personally don’t think this is a major issue, In fact you will see that most premium plugin who allows you to add license key in the plugin settings page, you can always get that license key by doing inspect element though you cannot see it on the screen.

    But then again, this API details section is only shown to the admin users and no one should make untrusted users as admin users. Moreover only an admin who have enough knowledge to do inspect element can find the data.

    Moreover, technically someone who has DB access can also find the API key one way or the other. I would suggest if you have security concern, just use the API Token mode instead of Global API Key as in this way you can give specific permissions to the token and it will do those tasks only.

    @isaumya I agree that this is not a major issue and maybe not an issue at all. Admin access and database access already suggest a high level of trust and tokens let you limit and revoke further.

    That said, maybe you could add an option to add the API token in the wp-config file so it’s in the file system instead of the database. (FluentSMTP provides an option like this for AmazonSES access tokens) @rockdesign Would a solution like that solve your issue?

    Plugin Contributor iSaumya

    (@isaumya)

    Hi @idea7,
    This is already possible and mentioned under the FAQ tab of the plugin settings. Screenshot: https://i.imgur.com/M2gIlLB.jpeg

    Thread Starter ROCK Design B.V.

    (@rockdesign)

    Hi All,

    Thank you for replying and the useful reactions. I see. I think we will try to add it the keys by PHP constants.

    Cheers!

    @isaumya Great!! I totally missed that. Thanks!

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Api token visible in inspect tools’ is closed to new replies.