If someone "stole" my Facebook App ID, what damage could they do?

I created a Facebook App ID and set the site URL to "localhost" so that after authenticating (via client-side JavaScript), I am redirected to my local machine while I'm developing the app.

I'm curious to know if there's any ris开发者_开发技巧k in this setup, specifically, what would happen if my App ID were stolen. It seems like the worst thing that could happen is that someone else could use my App ID with their own locally-hosted app and cause my app to exceed its Graph API usage quota, etc. Are there other risks?

You should not worry about.

Facebook App ID can be easily retrieved from any site that uses facebook JS SDK.

What you should worry about - is your app secret key

I also think this is risky, not for the localhost issue ( you can change it to other thing, like mylocal.develop, map it in the /etc/hosts, and authorize that in Facebook, as I did. It works ), but for the IP spoofing or domain spoofing by header forgery ( https://en.wikipedia.org/wiki/IP_address_spoofing )

Not sure if it can be avoided forcing ssl mode in Facebook or something like that.