So what to do?
You could go down the code obfuscation route. And while it doesn’t protect you from a determined hacker, it does mean that the casual browser of code (if is there such a person!) will not immediately know he is looking at your key. But really it can’t be a long term solution.
One alternative option is to use your web host to proxy all requests to Kasabi. If you are running an apache instance, then here is a config file that should work for you. You will still need to authenticate with your proxy, as you don’t want someone finding it and using it willy nilly.
This example proxy configuration is matching all requests to a certain directory (which doesn’t need to exist on disk) and passing those requests on to the kasabi api servers. The key thing here (pun intended) is to use the
RequestHeader directive to set the
X-KASABI-APIKEY in the forwarded request. The beauty of this is that the additional header will only be sent in the request and not passed back to the original caller.
NameVirtualHost * <VirtualHost *> ProxyRequests Off <Proxy http://127.0.0.1/*> Allow from all </Proxy> <LocationMatch "/kasabi"> ProxyPass http://api.kasabi.com/ ProxyPassReverse http://api.kasabi.com/ RequestHeader set X-KASABI-APIKEY "MySecretAPIKey" </LocationMatch> </VirtualHost>
This approach can also be used (as in our example) to run a proxy on your development machine.
Another approach (assuming you have some code running on your server) is to have the key in your user environment.
Add the following to your user’s
KASABI_API_KEY=123YOURKEY123 ; export KASABI_API_KEY
The following code would get the key in PHP:
$kasabi_api_key = getenv('KASABI_API_KEY');
I would be interested in whether these approaches work for you. If you have another approach, then maybe we can showcase that too.