Results 1 to 5 of 5

Thread: question on script security

  1. #1
    Join Date
    Jun 2008
    Posts
    187
    Thanks
    8
    Thanked 0 Times in 0 Posts

    Default question on script security

    Hello,

    We're developing a web app and we're wondering if there's a way to prevent the user from inspecting the page or seeing the javascript. Most browsers have a console that you can open up and see the DOM elements and any scripts running on the page. Most of them even allow you to hover over variables and see the data, some of which might include database IDs and other private information. While we try to make as little sensitive/private information available as possible, the fact that users can inspect the page and view information behind the scenes is a bit of a security hole.

    What we want to know is: can the viewing of DOM elements or scripts be disabled from the web app side?

    Or: can we at least minimize the javascript when we deploy?

    For this last part, we are using Visual Studio 2015, and Gulp packages to package everything together (javascript, CSS, etc.) during deployment. All I would need to know is how to setup a gulp package to minimize the Javascript (which is packaged into one file during deployment called app.js).

    Does anyone have any tips on how to make sensitive information a bit more secure in the browser console? Thanks.

  2. #2
    Join Date
    Mar 2005
    Location
    SE PA USA
    Posts
    30,375
    Thanks
    77
    Thanked 3,421 Times in 3,382 Posts
    Blog Entries
    12

    Default

    There are various free and paid online services, as well as various free and paid apps for minimizing and/or obfuscating javascript. You can use Google to find them. Some of these don't work very well or may have intimidating interfaces (there are so many, I would avoid any of those). Others may require that the javascript is validated to strict standards before they can work. None of this truly protects your code, but it does make it harder to reverse engineer it. Obfuscation is more valuable to that end, but minimizing also makes code harder to follow.
    - John
    ________________________

    Show Additional Thanks: International Rescue Committee - Donate or: The Ocean Conservancy - Donate or: PayPal - Donate

  3. #3
    Join Date
    Sep 2007
    Location
    The Netherlands
    Posts
    1,734
    Thanks
    46
    Thanked 216 Times in 209 Posts
    Blog Entries
    53

    Default

    There's no way to completely hide Javascript from the user, since the browser needs to download it to run it.
    As John said, you can try to use a service that obfuscates code for you, like this one. Another way to accomplish what you want is to write two documents for each page of your site:
    1) a document (for ex. 'file1.html') that contains your original HTML, Javascript, CSS etc.
    2) another document that loads the above document via jQuery, like so:
    Code:
    <!DOCTYPE html>
    <html>
    <head>
    <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js"></script>
    <script>$('html').load('file1.html')</script>
    </head>
    <body>
    </body>
    </html>
    The first document should be the 'hidden one'. The second document won't (directly) show the Javascript of the first document.
    Last edited by molendijk; 10-19-2017 at 02:11 PM.

  4. #4
    Join Date
    Jun 2008
    Posts
    187
    Thanks
    8
    Thanked 0 Times in 0 Posts

    Default

    Thanks both for your useful responses.

  5. #5
    Join Date
    Nov 2014
    Location
    On A Scottish Island
    Posts
    432
    Thanks
    0
    Thanked 54 Times in 50 Posts

    Default

    Perhaps you could move the "sensitive stuff" on to the server and use PHP.

  6. The Following User Says Thank You to styxlawyer For This Useful Post:

    jscheuer1 (10-21-2017)

Similar Threads

  1. Resolved security question
    By james438 in forum PHP
    Replies: 15
    Last Post: 06-06-2011, 09:15 AM
  2. Replies: 4
    Last Post: 03-29-2010, 04:48 AM
  3. Resolved database security question
    By james438 in forum PHP
    Replies: 7
    Last Post: 03-14-2010, 03:58 PM
  4. Resolved security question
    By james438 in forum PHP
    Replies: 2
    Last Post: 03-13-2010, 11:05 PM
  5. Ajax Security Question
    By Falkon303 in forum JavaScript
    Replies: 0
    Last Post: 10-15-2009, 05:03 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •