How to encrypt plain text credentials in a  javascript page

Posted on 2011-10-12
Last Modified: 2012-05-12
I just need some direction to get me started on how to encrypt my Paypal API password, ID and signature, that I now have stored in plain text in the javascript code:
NVPCallerServices caller = null;

   	try {
		caller = new NVPCallerServices();
		APIProfile profile = null;
		profile = ProfileFactory.createSignatureAPIProfile();
			 WARNING: Do not embed plaintext credentials in your application code.
			 Doing so is insecure and against best practices.
			 Your API credentials must be handled securely. Please consider
			 encrypting them for use in any production environment, and ensure
			 that only authorized individuals may view or modify them.
		// Set up your API credentials, PayPal end point, API operation and version.

Open in new window

Question by:Jeff swicegood
    LVL 26

    Expert Comment

    You should never put your Paypal password in your Javascript.  Paypal's documentation explains how to make secure buttons for payment:

    Author Comment

    by:Jeff swicegood
    Thank you for your comment. Yes, a Paypal button would be the simplest way to take donations, but buttons are very limiting and not what we want to do. Please bear with me because I don't quite have the language to describe exactly what I want to do.

    We have a webapp that takes donations and works. So far it has been confined to one kiosk machine so I have not worried about security very much, but now I want to open it up to the web. The problem is I have these credentials in there in plain text because that is the only way I knew how to do it at the time.

    quote from Paypal

    "IMPORTANT:You must protect the values for USER, PWD, and SIGNATURE in your implementation. Consider storing these values in a secure location other than your web server document root and setting the file permissions so that only the system user that executes your ecommerce application can access it."

    There must be some way to have my application pull those values from a secure file or server when it needs them.
    LVL 26

    Accepted Solution

    You absolutely must take  your Paypal password out of the javascript.  You realize that your password is now known to the world?  Anyone can log in and transfer all your money in the account to another account.

    Change your Paypal password immediately.

    Then do not put the new password in your Javascript.  You need server-side code to hold the password, if you do not want to use one of the methods (like payment buttons) Paypal provides.

    If you do not know how to program server-side code, then hire someone to do it for you.  Many people can do it.  

    Do you know what web server software your web site uses?  Do you know if something like PHP is already available?  That would probably be the easiest thing, although any server-side language would be fine.

    Author Comment

    by:Jeff swicegood
    Yes, you've actually given me a lot of information.

    Don't worry, my code has not been exposed.

    I will take a shot a programming server-side code. This web server is Apache with Tomcat and Java is available. I could also setup PHP if need be.
    LVL 26

    Expert Comment

    Java is great.  You can post from your page to a JSP page or a Java servlet.  Or add PHP to your Apache server and use a PHP page.

    In fact -- your question said Javascript, but the code you posted is Java and is in fact the example Java code from Paypal.  So it has to run on the server, right?  Unless you're creating an applet, which would be a security problem for this.

    This code is for creating a report to read Paypal transactions from your account -- it's not for Paypal payments.  Is that what you are doing?  Or are you really trying to create a mechanism for users to pay via Paypal?


    Author Comment

    by:Jeff swicegood
    I closed the question before I saw your last comment.

    I will open another question once I formulate it.

    Yes this code runs on the server, and yes I am trying to create a mechanism for people to pay via paypal.
    In fact I already have and it works. This was just a code snippet, the actual code is comprised of  a dozen or so different .jsp files, class libraries, etc I have used the paypal java sdk exactly except for this one detail I couldn't figure out.

    Yes, I'm not clear on what is Javascript and what is Java, but I'm pretty sore both are mixed in the overall sdk code.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Suggested Solutions

    Popularity Can Be Measured Sometimes we deal with questions of popularity, and we need a way to collect opinions from our clients.  This article shows a simple teaching example of how we might elect a favorite color by letting our clients vote for …
    Read about why website design really matters in today's demanding market.
    This tutorial walks through the best practices in adding a local business to Google Maps including how to properly search for duplicates, marker placement, and inputing business details. Login to your Google Account, then search for "Google Mapmaker…
    The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now