Executable in form of only responding to PUT, POST, UPDATE, or DELETE HTTP requests vs GET HTTP request? Anyone can send any type HTTP request to a world accessible API end-point and view the response. API scripts can be secure by exchanging secret keys or OAuth access_tokens. We trust Qualtrics to safely store our secret keys, but we don't want the keys visible to form editors.
Thank you for your quick response! The web service script containing API keys would be world accessible. Anyone who stumbled upon the API key end-point could use the keys to access and update highly sensitive information. We could lock it down to Qualtrics IP range, but any Qualtrics user could find the end-point and display the embedded field. This sounds like security by obscurity. Is there any other way to hide secrets from form editors?
Already have an account? Login
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
Sorry, we're still checking this file's contents to make sure it's safe to download. Please try again in a few minutes.
Sorry, our virus scanner detected that this file isn't safe to download.