Where to store a secret key to use in a SHA-1 hash?

I need to post a form to a secure server with a SHA-1 hash of: some of the form fields and a secret key.

I'll be using javascript to create the hash (with the help of http://crypto-js.googlecode.com/files/2.3.0-crypto-sha1.js), and put it in a hidden input field in the form. The recipient server will check the hash against the same key.

But where should I store the secret key?开发者_如何学C I can't put it in the javascript, as the page source could be viewed (even if obfuscated?).

My site is hosted on a UNIX server to which I have ftp and telnet access. I assume that if I put the key in a separate .js file on the server, that is equally insecure.

How else could I store it on my server in a way that is secure, but accessible only to the javascript on my page? Thank you.

---

What you want to do is impossible. You can't store or even so much as access a secret key in javascript without your users being able to see it as well. You have to create your hash on the server instead of on the clients computer.

Obfuscating your source would barely be a hindrance to someone trying to find your secret key, who knows a little bit about Javascript, and tools to tidy it up and such.