KEY is an important and sensitive information to get QWeather data, you have the responsibility to keep it properly and avoid the loss caused by leaking KEY, here are a few ways to protect KEY.
Since 2014, our API has supported HTTPS encrypted access, and at the end of 2016, we closed all non-HTTPS access. Using HTTPS can help stop sensitive information in requests being disclosed, so please don’t skip the HTTPS protection.
Use Signature Auth for authentication, so that even if someone else crawls your request information, it will be hard to get more valuable content.
Create separate KEY for each product
We support creating multiple KEYs and projects, so you can create multiple KEYs for different products or platforms. For example, if you want to make a project about travel, you can create different KEYs for iOS, Android and websites.
If you think your KEY has been compromised or suspect a compromise, you can create a new KEY, then upgrade your program, test and make sure the programs are all running on the new KEY, and finally delete the old KEY.
Store KEY on the server side
Store the KEY on the server side, then send the weather data you need to the front-end through the server side, so that others can’t grab your KEY in the front-end.
If storing KEY in the front-end is unavoidable, you can obfuscate or encrypt the code and change the KEY occasionally, to make it more difficult for others to access your KEY.
Do not share with others
It is likely that you will share your code with others during development, so keep your KEY in environment variables or separate files to avoid giving away your KEY when sharing code.
If your code will be distributed in a public source code management system (e.g. Github), make sure that the file where the KEY is saved is included in a
.gitignore or other similarly configuration file, in other words, keep the KEY out of the source code management system.