Security?

[Emiliano-Bucci]

Hi! I've seen from the network tab that we expose some sensible data, like list id and, probably, the apikey; is this really secure? Because from mailchimp docs they say that they api doesn't support unauthenticated client-side request. Thanks!

[miracle2k]

It seems the neat thing about this library is that it acts like the Mailchimp Signup Form that you create; it doesn't expose any data that you don't already expose by using the Forms that you could generate in the Mailchimp UI.

[HarisSpahija]

Api keys should never be stored on a client side. You will have to resort to a seperate server to handle your mailchimp Gets and posts. According to the Mail Chimp docs:

Note

API keys provide full access to your account. Keep them confidential and stored on your own servers. Because of the potential security risks associated with exposing account API keys, Mailchimp does not support client-side implementation of our API using CORS requests or including API keys in mobile apps.

The API will always need the key thus being really insecure when placed on a client-side environment.

[miracle2k]

@HarisSpahija I am not the author of this repo, but looking at the code, it does not seem to use the API key. Mailchimp allows one single operation, subscribing to a list, to happen without an API key. They have to do that to make their own client-side signup forms work.

[Emiliano-Bucci]

@miracle2k Thanks for the info! Yes, indeed it mimics the same behavior of the Mailchimp form. Closing this issue.