This question already has answers here:
How do I hide javascript code in a webpage?
(12 answers)
Closed 9 years ago.
is it possible to hide codes written in java script (j query)?
i have written a program and i have used two much load() function .
every one can see my pages address is it a risk?
something Like this:
load('account/module/message/index.php');
load('account/module/ads/index.php');
load('account/module/stat/index.html');
No.
JavaScript is client side therefore all code written is, in some fashion, directly visible to the client (end user). You can obfuscate it and make it more difficult to decipher, but in the end is still accessible.
If security is of concern you can keep "business logic" within php and access it using JavaScript (e.g. Ajax calls) but the end points would still be visible.
On every site that uses Javascript, that javascript code is visible to the end user. Not only that, but the end user is able to debug it, and change the either the variable contents or even the code itself at any moment.
Despite this, millions of sites use Javascript, and many of those sites are considered secure. The point is that while JS code may be visible to the end user, it doesn't necessarily mean your system is insecure. You just have to write your system with the understanding of how it works.
Here are some pointers:
If you put secrets (eg passwords or business logic that must be kept private) into your JS code, then those secrets are not secure. Don't do this; keep those details on the server.
If your JS code does any kind of validation, then that validation could be bypassed, so your server-side code must also do the same validation.
If your JS code makes calls that run code on the server (eg your load(...) calls, then the server must verify that the user has permission to do so; don't rely on the JS code to do that check.
You can't "hide" the client-side code, the most you could hope to do is obfuscate it, which to me is largely pointless in the context of the web - code that is delivered to the client should be exposable without being dangerous - and you can hardly obfsucate URLs, anyway.
For parts that shouldn't be exposed, don't expose them. Do server-side generation and output only what is needed, what is "safe"; some trouble can come when mixing the two (say, wanting to hide away logic by doing it on the server, but still deliver it dynamically using AJAX), because your logic is indirectly exposed (that is, although it can't be seen, the results can be gathered, perhaps from a different domain to use your content, etc.)
You can try using an Obfuscation Tool like YUI Compressor http://yui.github.io/yuicompressor/
So your code will not be readable for end user... but hidding it it's impossible
Hidding values and stuff
If you want to keep your values private, so user can't read them obfuscation won't be really your choice, but of course your source will be minified, it will be a mess if you want to read it, but it's still there...
So your choice here is use some kind of encryption which will be decrypted when page loads, but it is a hard work, you can use base64, sha1 or whatever you want only the strings or values you want. But anyone can decrypt it if they really want to.
Definately not, because javascript executed client side so either if possible you do all the operation on server side scripting ( jsp/php/asp) or minify/compress your javascript code after moving it to a sepatate file.
Unfortunately not.
Javascript runs on the client machine in the web browser and cannot be hidden from someone looking at the source code.
However this does not pose a security risk for your application provided nothing internal is visible should you visit those pages in your browser.
process all your "secret" code on the server, where the user doesn't have access to the code. Send only "non secret" things to the client, like for the UI. If you can't avoid sending secret code to the client, obfuscate it to make it more difficult to read.
Put your Javascript code in external file.
And then minified your javscript code, may this helps you.
To Convert Normal Javascript into Minified Javascript Refer this http://jscompress.com/
Related
Is it possible to modify javascript source code on a https connection before it gets executed by the browser. This modification doesn't have to necessarily come from a man-in-the middle. It can also come from the intended recipient of the script. Also, is there a particular type of request that cannot be made to a PHP server using cURL? In other words, what are the limitations of cURL?
If you have secrets to hide, don't include them in your Javascript.
Yes, it's quite possible. With something like Greasemonkey, or a browser plug-in, the user could certainly transform the source before executing it.
Moreover, since your source is eventually delivered in plain text, even if obfuscated, the user can reverse engineer it to find the secret, and often can do so quite quickly.
Well, I have a completely AJAX driven site. I inserted a jQuery code that affects all forms and queries site-wide. It's to the point, even though I want to change it, I fathom and accept the idea of a website that utitlizes a single function to process all queries (search, links, & profile, etc....)
How do you accomodate speed and security to such a platform? My php files can be accessed directly from their location's link. That is a threat. Help me; as well as AJAX, I need validation and '777' protection.
Before you read my answer read also this (as answer to a comment on your question) : Possible to view PHP code of a website?
Don't put speed and security in the same box. A website can be secure and fast at the same time.
I would secure a folder with 777 access (why not 755?) with an empty 0Kb index.html file (yes, even if you have inside a bunch of .php files!) ad put an .htaccess with restrictions deny from all that allows a folder to be accessed internally but not from 'outside'.
Than I would NEVER send sensitive data through the requests, but rather a client-side transformed Hashing algorithm like MD5 or SHA1 to compare data and validate on server-side. So don't ever ever send sensitive data in it's pure state over the yellow wire.
Need more security? https
Regarding a "single function" that drives your JS client-end of the site, well, if well formatted the browser doesn't care if it's one or hundreds, a good code is a readable code. Performance wise there's lots of suggestions on the www how to speed up your code.
To add to a really good #Tim's comment/tip, you can still open your console in Firebug (Net) and inspect every single piece of information that is sent from your Page to the server (and vice-versa!!) and act accordingly.
the context: while content and copy protection is practically a moot point, and I've heard every argument there is about right-context menu disable, the state of the art is to secure a page with JavaScript measures, and then somehow create a Page wipe if the security is bypassed by disabling JavaScript.
Another way to say this is "make the content depend on continuous availability of JavaScript". My target is a page wipe initiated within 1 second of JavaScript being disabled.
The methods I'm exploring are PHP for WordPress...and I'm considering initiating a process on page load which wipes the page unless a JavaScript token is present to stop the process. I also thought of a method which starts a process server side to rewrite the page content if err status can be proven to show JS disabled.
I agree with #alessioalex. What you're asking for is not possible.
The only possible way to continuously monitor anything on a web page is with Javascript. And the only way to change the page content after page load is with Javascript. And if I've got Firebug installed (or the developer tools for any other browser), I can see the entire content of your site, and even alter your Javascript while it's running. I don't even need to turn Javascript off to disable your protection feature.
There is a very limited amount of protection you can get from the basic "disable context menu" function. It isn't secure, but it does protect you against people who don't know what they're doing or who can't be bothered to waste their time getting past it.
But there is zero additional protection to be had from doing anything more than that in a browser environment, because all your code and graphics are available and it is trivial for a user with even limited knowledge to get at it.
If someone knows enough to try switching off Javascript (and if they're determined enough to get at your code to do that) then you've already lost the battle.
You say you've heard every argument about copy protection on the web, but if you're asking this question you clearly haven't understood those arguments.
Bottom line: If copy protection is that important to you, then a web page is the wrong environment for your content.
Probably not something you are looking for, since the workaround for this technique would be to use IE, but in the future one could use CSS Transitions to schedule "disappearance" of the content and reset it with JS periodically :)
I am designing a website, and I really want it to be as secure as possible.
I have a private folder that cannot be accessed (.htaccess) which contains all my php classes (and similar structures), and a public folder that has my Javascript, CSS and a PHP file for the Javascript(via AJAX) to interface with, which in turn accesses the classes in the private folder.
Now here is my issue, and for the life of me I just cannot seem to get my head around this one:
If someone was to look at the js code they would see the commands / data being sent to the publicly available PHP Script (as described above), therefore getting an idea of what commands to use interface with that script and potentially gain access to stored data etc.
now I know that ajax wont work remotely etc but as long as you got the commands from the ajax script you could interface directly with it, so i thought i would do a referrer check on the interface script and that worked perfectly until I realized how easy it was to spoof your referrer header!
does anyone have any ideas on how to secure this. if this just sounds like complete garbage tell me and I'll try and break it down further.
AJAX and JS are client-based - everything they do, any user can do. If you expose an API method to AJAX, you expose it to the user - there's nothing you can do about that. That's your design choice. You could of course obfuscate your API calls, but that doesn't really do anything other than make it less user-friendly.
The bottom line: don't trust any user input, regardless of whether it came from your AJAX code or somewhere else.
Well, someone scripting your site directly would only be able to access the same stuff he already can in UI, right?
If you have an script function doAdminStuff(), you would check server side if the user is logged in AND is an admin, before taking any actions
Relax, dude.
This is SPARTA! WEB.
Every site in the world is "exposed" like this. That's the way the web works, Ajax or non-ajax based.
You can't help it, yet there is no harm in this. There is nothing to secure.
Here are my recommendations:
Use SSL if you are not already.
Use a (software) token for all requests that you want to protect.
To discourage others from reading your javascript files, you can obfuscate them. Dean Edward's packer is a famous one.
Write a script that sniffs logs and data for potentially bad activity. If you are not logging all the activity you need to (like if the apache logs are not enough) consider writing activity to your own log.
don't be paranoid, just filter input params, maybe you should switch on SSL so you ajax requests content will be hard to sniff, etc.
Are you using the ajax-thing only for security-reasons or for any other reason? Because you can build up an architecture like this (a PHP-file as "gateway" and all other PHP-files in access-restricted folder) without using ajax as well. If you want to check out, you could take a look at the default folder structure of Zend Framework. This structure has the advantage that there is no logic visible for your users at all.
Also important is that IE (at least IE 6 & 7 I think) does not send a referrer at all by default so this probably wouldn't work anyway.
I am trying to create a website that will allow users to login with their email and password. To prepare for this I am attempting to learn the languages that will best help me. I have a knowledge of HTML/CSS and am wondering whether to learn PHP or Javascript first. I understand that PHP is server based, does this mean that I will need to provide a server that, for example, their user names/passwords will be stored on? Also, I have been told that Javascript will sometimes be used in PHP, is it necessary that I learn Javascript first?
The only way to secure a login is to have the server do the validation. If you do it on the client, anyone can view the page source and see the code. They can even execute arbitrary javascript code, bypassing any client-side validation.
You will need PHP & some database (MySQL is most common) to create a login system.
You will need to use forms, send the
username and password to a script.
Receive the data and compare the
username & password to the one in
the database
If the login credentials are valid,
create a session variable that keeps
them logged in.
It is worth noting that doing things with only HTTP instead of HTTPS allows hackers (read: Script Kiddies) to hijack your user's sessions if they are on an unsecured network such as open Wi-Fi in Starbucks.
As you say, PHP is server side (executed on a web server), whilst JavaScript is executed on the client side (in the web browser). JavaScript can't be used "in" PHP, but it's often used to improve the user experience on many web sites. However, for the majority of purposes, it can be considered as a separate concern to PHP.
However, let's take a step back. If you think about your problem, you'll probably come to the conclusion that you need to store the information about the users somewhere on the server side, so that you can check the information supplied in the form against the user data you have stored to see if the details are correct. (Once you learn more, you'll most likely decide to store the information in a database, such as the popular MySQL, which PHP can talk to and interrogate using the SQL language.)
However, at this stage of things I'd recommend getting hold of a good book on PHP, or perhaps having a look at the introduction section of the PHP manual, which contains some basic tutorials.
Yikes.
At the minimum you want some sort of server-side language. I'd also highly recommend using a pre-built system, depending upon needs, since security is not easy.
JavaScript is not required.
You will need a host to use for a webserver and for a DB, this can also be your pc check out wamp
Javascript is not required, but using jQuery can certainly help your UI look a lot better. There are a lot of very simple examples of forms (including a login form) inside the jquery site.
Javascript is client-side, it can't auth a user alone, that's were you need PHP. Usually web auth pages don't need javascript, only a client side language, like PHP.
Start with PHP. Javascript is occasionally used for working with PHP on the page (ie., get database info without having to click a "submit" button or navigate to another page.) It is used, for example, to make people's Facebook statuses appear on your homepage in real time. I programmed PHP for years and haven't learned any JS until just recently, so don't worry about it for now.
The posted tutorials (especially on w3) are excellent. There is an excellent tutorial that describes exactly what you are trying to do at devarticles, but it requires a VERY basic understanding of SQL. The example in the tutorial is also fairly unsecure, but it'll teach you the basics of working with MySQL and PHP sessions.
You'll need to run the scripts on a sever that has PHP and MySQL on it, so pay attention to these things when you're looking for hosting.