Is it possible to change the application's default API_KEY and MASTER_KEY with parse server?

[MateusCarvalho]

I'm trying to change the default app_id and master_key that the parse gave me, for one's own, is it possible?

[flovilmart]

You can set any value you want on your server, just make sure your clients use the same values.

[MateusCarvalho]

@flovilmart And in Default API Parse is it possible? They tried to hack my app, they deleted some data, but I was able to recover a backup. I believe they are in possession of APP_ID yet.

[natanrolnik]

@MateusCarvalho in Parse.com you can't, but I wouldn't bother, considering that it will stop working in 10 days. In your own Parse Server, you can set whatever keys you prefer.

The appId and keys (besides the master key) are not a security mechanism. It's not hard to sniff and get access to the HTTP calls your mobile/web app do, and extract the appId, clientKey, javascriptKey. It was even discussed to get rid of client keys at all, as they give a misleading sensation of security.

The real way of fixing this breach is reading the security section in the guides, understanding the two leves of security that Parse Server provides:

1 - CLPs - Class Level Permissions: Defines if a class and its objects can be public added, created, deleted or changed, or not. If not, all these operations will require the master key. Otherwise, ACLs apply:

2 - ACLs - Access Level Control: Defines if an object may be read or updated by specific users or roles.

They might be a bit confusing, a these are 2 different security layers; so take care not to adding both and avoiding users who actually should be able to access data to do so.

I won't get much deeper here, as it's better explained in the docs, linked above.