How to avoid access to .js file from the browser

Navigation
-1

I have the following scenario:

  

I have a website that classically uses .js files, the problem is that if from the browser access directly to the URL of the .js you can see all the code of that file, for example if access to link , all the code java script of the file.js is displayed in the browser, what I want is that you can not access the file from the url directly and that these .js files can have confidential information.

I know that the .js file eventually does or does have to be downloaded to the browser to execute its functions, but I want to avoid direct access to that file.

Greetings.

    
asked by RSillerico 24.11.2016 в 20:43
source

2 answers

2

It is not possible to avoid access to the file because if you do it the browser will not be able to execute it. On the other hand if you manage that under certain characteristics (like a user_agent) a user can not see the js directly and the browser does, it will not be very complicated to skip the filter since there is an access granted.

To guarantee the encryption of passwords from point A (js) to point B (asp.net) you must use the https protocol which is responsible for encrypting all the shared content between point A and point B always and when both use encryption.

I recommend you review Let's Encrypt that allows you to add ssl certificates for free, although there is always the possibility of buying them, I do not know how you are deploying your applications but normally providers have the option to add ssl to your servers.

    
answered by 25.11.2016 в 02:29
2

It is possible to achieve this goal in part, although it has great performance disadvantages for both the client and the server.

Unique token system

You should use a server-side language (PHP, ASP, etc.) to serve JS files by validating with a unique token, this token should expire at the time the file is served.

1.- Generate a unique token in the loading of the web page, save it (bd, filesystem, etc) and include it in your HTML in the following way: 

<script type="text/javascript" src="js.php?token=asdfa377f32fasdf8283f23f283f23"></script>

2.- Create the program js.php where you should validate if this token exists, if it exists, you would use the js file and delete the token.

With this logic what we achieve is that the first time the web page is loaded the client would make a request against js.php sending the corresponding token, the program would serve the JS file and remove the token. For when the user sees the source code and tries to access this script the token would no longer exist and therefore could not see the source code of the script.

Clarifications

It should be noted that with this we only manage that the user can not directly access the source code using the URL of the script but with any recent web browser development console you can debug the script visualizing all the source code that is already loaded in the web browser. Javascript is a language that runs on the client's side and therefore should never keep confidential data in them, any confidential data should be stored on the server and never be served to the client without some type of encryption.

Regardless that this logic only solves a part of the problem it can generate a big performance problem both in the server and in the client since every visit to this url will generate a new request against the server to validate the unique token; Therefore, you would lose the possibility of having your javascript files cached in the browser forcing the client to download new javascript files with each visit and generating an extra effort on the server to handle more requests.

    
answered by 15.12.2016 в 17:52
How can I create an if you can change the value of a select by pressing a button? MySQL Workbench or Community?