This is not pretty but it works: rm -R $(ls…

Question

0

Asked: May 16, 20262026-05-16T11:51:54+00:00 2026-05-16T11:51:54+00:00

There is an integration with an API for conducting live online classes. The API

0

There is an integration with an API for conducting live online classes. The API wanted us to post a form to their site along with a parameter called customer_token as an input field. It is used for authentication by the API and every customer site is assigned one token. The customer token is actually some hashed value of the domain name or IP or something.

Now, after the integration, they want me to hide the customer_token input field somehow from being accessible through mozilla’s firebug and similar tools, because anybody can see the token and send a similar form to the API and access the API’s service. Needless to say, the API is not developed by some experts. They did not realize the issue before and it is not a widely used API.

I asked a question previously on Best way to hide a form input field from being accessed using firebug? and realised that it is not possible to hide any information through a get/post method. Someone asked me about whether the request is directly being sent to the api, or first to my server or something?

Please explain how does it fix the security issue and how do I implement it?

Thanks,
Sandeepan

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-16T11:51:54+00:00

You could POST to your server, which in a script, POSTs all the parameters to the API form action, but with the customer_token added in your script, server-side, which clients can’t see.

So, you have your original form:

<form action="http://someapi.com/blah" method="POST">
    <input type="hidden" name="customer_token" value="foo">
    <input type="text" name="whatever">
    ...
</form>

And instead use:

<form action="myapiblah.php" method="POST">
    <input type="text" name="whatever">
    ...
</form>

Note that there’s no customer_token in the second example. Then, in myapiblah.php – change the name obviously, especially depending on the server-side language you’re using. I might be able to provide more specific examples if you tell me what you use – use something like this psuedo-code:

parameters = $_POST;
parameters['customer_token'] = 'foo';
send_http_request('POST', 'http://someapi.com/blah', parameters);

You’ll need to look up the details of what to use for send_http_request.

In PHP, you’d do something like this, if you can use the pecl_http stuff in PECL:

$params = $_POST;
$params['customer_token'] = 'foo';

$req = new HttpRequest('http://someapi.com/blah', HttpRequest::METH_POST);
$req->addQueryData($params);
try {
    $r->send();
    if ($r->getResponseCode() == 200) {
        // success!
    }
    else {
        // got to the API, the API returned perhaps a RESTful response code like 404
    }
}
catch (HttpException $ex) {
    // couldn't get to the API (probably)
}

How to approach applying for a job at a company ...

What is a programmer’s life like?

How to handle personal stress caused by utterly incompetent and ...

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions