2016-05-11, 18:58
I'm updating Artist Slideshow, and in working with the folks at theaudiodb.com, it looks like my API key for that site is being used by someone else (their logs are showing calls using my API key to URLs I don't call in AS). I'm getting a new key so that we can figure out the actual load AS is putting on their servers, but this has gotten me to thinking about how to deal with this. I publish all my code to a free github account, so it's all public and searchable. I've heard of people crawling github looking for keys to use, so the fact that the keys are in the code seems problematic to me now. As I see it, I have a few options:
1- change the name of the variable so that it's not something like api or apikey. (done for the new version of AS, but it only masks the problem by making it harder to crawl for the keys)
2- pay for a github account so I can make all my repos private (but that means others can't see or fork the code, and there's a cost to me then)
3- remove the API keys from the code (but then I have to figure out a way to have AS download the keys after install)
What are others doing to address this?
1- change the name of the variable so that it's not something like api or apikey. (done for the new version of AS, but it only masks the problem by making it harder to crawl for the keys)
2- pay for a github account so I can make all my repos private (but that means others can't see or fork the code, and there's a cost to me then)
3- remove the API keys from the code (but then I have to figure out a way to have AS download the keys after install)
What are others doing to address this?