Block access to javascript files

Asked

Viewed 1,186 times

4

I have a javascript file that makes ajax requests to my API only I do not want anyone to discover her link there is some way to block access to this file ?

If there is no way to release so only the site can access ?

2 answers

6


The moment the AJAX request is performed, it will always be possible to trace. Because, the origin of the request is made in the client. So, what can be done is to do a validation on the server.

Example:

Let’s assume you’re making the request for the site: http://www.testandoapi.com.br/index.php

In the index.php file, you can have a PHP statement that checks if the origin of the request is www.testandoapi.com.br.

<?php
  if( $_SERVER['HTTP_ORIGIN'] === 'www.testandoapi.com.br' ){ 
     //seu codigo aqui
  }
?>

This will cause only requests coming from the www.testandoapi.com.br domain to be executed.

Note: The above solution is not immune to failures, there are other strands that should be taken into account.


Complementing the above solution, you can work with Token also. But for this to happen, it will be necessary to define certain criteria:

  1. Whether or not to generate the Token, for all who access the site.
  2. The periodicity of Token.

You can have other items to define, it is worth taking into account the context that your API will be used.

  • I already did it well $site_ = $_SERVER["SERVER_NAME"];

  • Despite the solution, I do not find anything reliable doing so. Mainly because usually who will want to make requisition will be an experienced person and who easily manages to circumvent it.

  • SERVER_NAME retrieves the server name and not the request data. It is worth taking a look at HTTP_HOST and HTTP_ORIGIN. See if this helps: http://stackoverflow.com/questions/2297403/http-host-vs-server-name

  • It’s something simple I don’t think anyone will try to cheat :)

  • 1

    @Maiconcarraro, I agree with you. To create a more elegant solution, we would need to understand why this security and the context of the API and its use.

  • 1

    I would create a Token single and would always pass on request, it is safer than simply checking a text field in the request

  • Good... but for Token to work it would have to have a well-established rule of creating and reading it. Why, give a Token and leave open to everyone, it would be in the same as to validate a text field in the request...

  • @Maiconcarraro, I added your suggestion in the reply... ;)

  • @Gustavocarvalho Grato :)

  • 1

    HTTP_ORIGIN is a new feature offered by Google Chrome.. Other browsers do not support it. Moreover, not recognized by servers.. it is necessary to install a specific module for support. The biggest problem is, the effect is the same as HTTP_REFERER. It can be manipulated easily. And another even bigger problem, in a legitimate request, the value of HTTP_ORIGIN or HTTP_REFERER can come empty. Then you would be blocking a legitimate request. Javascript needs to be read anyway. Everything you try to do to block access is in vain. At most, you can make it difficult with obfuscation.

Show 5 more comments

0

You must provide security on the server side, authorizing only those who can access the address action. The "link" can be discovered anyway when the user request is made, simply monitoring the requests in the browser itself.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.