Server-side?

Thoughts?

Fire your developer.

There are no access keys or credentials utilized by this plugin for Google Sheets.

Our Raspberry Pi developer said he doesn’t recommend using a client-side app on our WordPress site as it would likely broadcast the key for accessing the sheet?

Meitar is accurate in saying “There are no access keys or credentials utilized by this plugin“, as the documentation states… the Google Sheet must be publicly shared in order to be used by the IGSV plug-in.

It’s worth noting, that your “GOOGLESHEETKEY” (e.g. https://docs.google.com/spreadsheets/d/GOOGLESHEETKEY/htmlview ) is used as the IGSV’s table ID (e.g. <table id=”GOOGLESHEETKEY”> ), which is obviously visible to anyone via the browser source code.

In order to implement a tiny bit of “security through obfuscation”… I slightly modified the installed plug-in’s code as follows:

IMPORTANT NOTE: Make this change at your own risk, as it will make troubleshooting more difficult and should only be done if/once you’re certain your project is working as intended.

FIND:
$html = '<table id="' . esc_attr($id) . '"';

REPLACE:
$html = '<table id="' . esc_attr( str_shuffle( $id ) ) . '"';

$html = '<table id="' . esc_attr( str_shuffle( $id ) ) . '"';

This will break any CSS and JavaScript selecting or targeting the table HTML. If you are going to do this, at least use hash( 'sha256', $id ), not str_shuffle() so that your output is always the same.

This will break any CSS and JavaScript selecting or targeting the table HTML.

In my use cases, that hasn’t mattered, but it’s a very good & important point… as is your comment about hashing the $id instead. Thanks!