Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


How to encrypt plain text credentials in a  javascript page

Posted on 2011-10-12
Medium Priority
Last Modified: 2012-05-12
I just need some direction to get me started on how to encrypt my Paypal API password, ID and signature, that I now have stored in plain text in the javascript code:
NVPCallerServices caller = null;

   	try {
		caller = new NVPCallerServices();
		APIProfile profile = null;
		profile = ProfileFactory.createSignatureAPIProfile();
			 WARNING: Do not embed plaintext credentials in your application code.
			 Doing so is insecure and against best practices.
			 Your API credentials must be handled securely. Please consider
			 encrypting them for use in any production environment, and ensure
			 that only authorized individuals may view or modify them.
		// Set up your API credentials, PayPal end point, API operation and version.

Open in new window

Question by:Jeff swicegood
  • 3
  • 3
LVL 27

Expert Comment

ID: 36960054
You should never put your Paypal password in your Javascript.  Paypal's documentation explains how to make secure buttons for payment:

Author Comment

by:Jeff swicegood
ID: 36966103
Thank you for your comment. Yes, a Paypal button would be the simplest way to take donations, but buttons are very limiting and not what we want to do. Please bear with me because I don't quite have the language to describe exactly what I want to do.

We have a webapp that takes donations and works. So far it has been confined to one kiosk machine so I have not worried about security very much, but now I want to open it up to the web. The problem is I have these credentials in there in plain text because that is the only way I knew how to do it at the time.

quote from Paypal https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_api_nvp_NVPAPIOverview

"IMPORTANT:You must protect the values for USER, PWD, and SIGNATURE in your implementation. Consider storing these values in a secure location other than your web server document root and setting the file permissions so that only the system user that executes your ecommerce application can access it."

There must be some way to have my application pull those values from a secure file or server when it needs them.
LVL 27

Accepted Solution

mrcoffee365 earned 2000 total points
ID: 36966137
You absolutely must take  your Paypal password out of the javascript.  You realize that your password is now known to the world?  Anyone can log in and transfer all your money in the account to another account.

Change your Paypal password immediately.

Then do not put the new password in your Javascript.  You need server-side code to hold the password, if you do not want to use one of the methods (like payment buttons) Paypal provides.

If you do not know how to program server-side code, then hire someone to do it for you.  Many people can do it.  

Do you know what web server software your web site uses?  Do you know if something like PHP is already available?  That would probably be the easiest thing, although any server-side language would be fine.
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.


Author Comment

by:Jeff swicegood
ID: 36966190
Yes, you've actually given me a lot of information.

Don't worry, my code has not been exposed.

I will take a shot a programming server-side code. This web server is Apache with Tomcat and Java is available. I could also setup PHP if need be.
LVL 27

Expert Comment

ID: 36966616
Java is great.  You can post from your page to a JSP page or a Java servlet.  Or add PHP to your Apache server and use a PHP page.

In fact -- your question said Javascript, but the code you posted is Java and is in fact the example Java code from Paypal.  So it has to run on the server, right?  Unless you're creating an applet, which would be a security problem for this.

This code is for creating a report to read Paypal transactions from your account -- it's not for Paypal payments.  Is that what you are doing?  Or are you really trying to create a mechanism for users to pay via Paypal?


Author Comment

by:Jeff swicegood
ID: 36974828
I closed the question before I saw your last comment.

I will open another question once I formulate it.

Yes this code runs on the server, and yes I am trying to create a mechanism for people to pay via paypal.
In fact I already have and it works. This was just a code snippet, the actual code is comprised of  a dozen or so different .jsp files, class libraries, etc I have used the paypal java sdk exactly except for this one detail I couldn't figure out.

Yes, I'm not clear on what is Javascript and what is Java, but I'm pretty sore both are mixed in the overall sdk code.

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Q&A with Course Creator, Mark Lassoff, on the importance of HTML5 in the career of a modern-day developer.
No other job is as rewarding and demanding as building an iPhone app is. It is not really in the hands of the developer for the success of an iPhone app. Many factors operate jointly for every iOS application's success in the market.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question