1
How far can an end-user modify Javascript and manipulate everything? As far as I know, it’s literally everything, but if it is, is there a way to avoid it? Either prevent or simply prevent JS editing by Firebug or something like that..
3 answers
4
You basically have nothing to do. From the moment your software sends code to an unknown computer to run there, it is the prerogative of this machine to do whatever you want with the code. Nor would it be fair to let an unknown person execute a code they understand without the owner of the execution environment being able to interfere.
There are some techniques that can make it a little difficult, but whoever wants to do it will do it. It is not worth the effort, it will certainly be ineffective and any technique will be defeated with relative ease. At worst the user will not try because it has no value in doing, which means that the attempt at protection is innocuous.
One of these techniques is code obfuscation. If the code gets too unreadable, it’ll be harder to modify it. If I were to do something like this, it would be this technique that I would adopt, but I would be aware of its ineffectiveness.
And this is one of the biggest reasons for never trust anything that comes from a client, people can always change something.
-
2
"Nor would it be fair to let an unknown person execute a code he understands without the owner of the execution environment being able to interfere" +1 so unfortunately it is in this sense that much of the market is moving... (e.g.: Apple devices, where you don’t control what runs on the device you bought - Apple controls)
-
@mgibsonbr +2 :) (one here and the other there in the other) Without wanting to get into controversy, and already entering, I wanted to understand at what point the world got lost in demonizing one company and forgot the other that did even worse things. This must be why.
-
Without naming names it is difficult to say, because all the major companies have at least one small scrap in their history... In the case I mentioned Apple because it was the first that came to mind, but if I remember correctly the model of Trusted computing that Microsoft advocated/advocated in the same vein: putting controls on hardware limiting software to a "reliable" set. So far so good, the problem is whosoever decides what is reliable and what is not... This type of initiative ends up giving a lot of power to suppliers in the name of a supposed security.
-
1
But this is what I meant, the first makes the user cat and shoe and is loved, the second is demonized for having abused in the past. I am in favor of user control, including that it has the option to give control to some company, if he wants.
1
The user will always be able to use a proxy to intercept communications with the server and modify them before the data reaches the browser. There’s nothing to do.
1
Yes, as far as I know you can play with the Javascript of a website, some browsers even make a console available for you to debug your code (like Chrome). And there are some ways to avoid, but as they say, what is "safe" nowadays?
Method 1
I will be honest, I have not read the entire article, but even if it is very old, I believe that the method is still "usable" (otherwise, please let me know). Basically, instead of you calling the script the conventional way:
<script src="script.js"></script>
You call another file, which in this case is one of the type .asp and makes use of AJAX requests to hide the code. Article link: http://www.linhadecodigo.com.br/artigo/3502/como-ocultar-seu-codigo-via-ajax.aspx
Method 2
I prefer this form, as it also speeds up the page loading speed considerably. This method consists of using an obfuscator that compresses your code and makes it unreadable, exchanging/encrypting (depends on which tool you use) much of the code. There are several online tools that do this for you:
- https://www.javascriptobfuscator.com/Javascript-Obfuscator.aspx
- http://www.jsobfuscate.com/index.php
- https://jscrambler.com/pt/
Remembering that as I said, nothing is safe nowadays, especially when your code is directly exposed to anyone. That’s why it’s always important to be aware when creating a script and never put credentials in them (like database passwords), common sense never hurts.
In case you want to read more about it: https://stackoverflow.com/questions/194397/how-can-i-obfuscateprotect-javascript
-
2
This link of your method 1 gave me a headache... : P Quanta will try to control what the user does or fails to do with your site! But in one thing they are right, nobody cheats these techniques (I for example when I notice them leave the site immediately and never back rsrs). And I can’t help but notice, because they make the site a lot more boring to use (but if I want much I outline them easy, easy). P.S. I don’t give -1 because I see that your intention is to help, but overall I find a wrong answer about security worse than no answer at all. " nothing is safe nowadays" hi?!
Browser other questions tagged javascript protecting
You are not signed in. Login or sign up in order to post.
Related: "How to protect source code?" (the question was for Java, but my answer vale overcoat for cases like JS, where the inconvenience of hiding the code is great). By the way, none code can prevent the user from touching it, no matter if it is compiled, interpreted, etc. Only if the hardware itself is resistant to this type of change (for example, smartphones are not-jailbroken / nay-Rooted do not allow you to handle your software arbitrarily).
– mgibsonbr