This question already has answers here:
How to protect code in HTML5/Canvas game?
(2 answers)
Closed 8 years ago.
What should I do to protect my code?
Due to the open source code, a person can take the data, one by one. Alternatively, they save press ctrl+s. I want to protect it so that if someone wants to take my data, he has to connect to my site.
This is a classical caveat of serving client-side code. It is impossible to completely hide your code if you are going to send it to a client; he must receive a .js file in order to execute it in his browser, and that file is always viewable by some means.
You can attempt to obfuscate your code using a minifier like Uglify.js, but people can still prettify your code and examine it and attempt to figure out how it works.
Alternatively you could do everything server-side and serve images of the game to the user, but this would be impractical for any game with a moderately-high framerate.
Note that in most countries you have a copyright on whatever you write, so if someone was to ever steal your code you could sue them.
You can't protect your javascript functionality from copy-paste, as explained here.
How to protect code in HTML5/Canvas game?
To paraphrase the Borg..."obfuscation is futile"
(your code and your data must become visible for the browser to run it)
To slow thieves down:
If you're trying to protect your methods: minify your javascript.
If you're trying to protect your data: download data from server in real time (Ajax/websockets).
Related
This question already has answers here:
How can I prevent javascript code theft?
(7 answers)
Closed 6 years ago.
I made many javascripts for my blogger after hard work. So, I don't want anyone steal my codes, can I do that?
I tried obfuscate and encode from many websites, but anyone can easily steal it after that, So it just slow my website.
I need really solution : )
You can't. The only thing you can do is make your code harder to read by minimizing it, and otherwise obfuscating it. The code is sent to the client; you must assume they'll try to read it.
If you visit a website and the page is already "constructed", it means they used a server side language/framework to create the page before it was sent.
Javascript files are shown publicly, and sent directly to the client, so there's no way you can prevent them from being viewed. You had the right idea trying to obfuscate it, as that's the only solution, you just need to find the right obfuscater. In my opinion, you shouldn't even obfuscate them, as most scripts are written in a matter of minutes, it wouldn't make much sense for somebody to steal yours. If you really need to do so, then a quick google search returns this.
No, you can't. At the end of the day, the user can look at any javascript that is being run on the client. If you're doing anything that is business sensitive (such as connecting to databases, etc), that should take place on the server, so that users can't see it. Client-side JavaScript is intended to work with data that the user can see anyway, so it's not important for it to be obfuscated.
If you're just jealous that someone is going to to use your code, well.. Tough luck. Though I should say that in all likelihood nobody is interested in stealing your code. If they're going to reuse code, they'll download a plugin - not go through the source of random websites to see if there's anything they could scavenge.
People have mentioned obfuscation, but if that's your goal, you're doing something wrong. You should certainly minify your code - but that's to make it take less space, and thus load faster. Not to obfuscate it.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 9 years ago.
Improve this question
There are a lot of features and abilities of javascript that I am unaware of. I have developed a custom closed source CMS and I was thinking about adding a feature to allow for custom javascript that gets included on each page of their site (but not the backend system itself). I was curious of the risk involved with doing this? The CMS is built using PHP and there is javascript within the backend system of this CMS, but thats pretty much it.
If I allow custom javascript, can this be manipulated to retrieve all the php code, or to cause issues on the server itself?
I own the servers, so I can make any adjustments necessarily for safeguarding the server.
Again, this is purely for information and I appreciate any advice people can give me.
The javascript will be stored in a file and included using php on the page itself. I do have code that blocks anything inside to prevent the use of PHP within the code itself.
Can they steal my closed-source PHP code with JavaScript?
To answer your first question, no, your closed-source PHP code cannot be stolen by a user of your CMS software simply by uploading a JavaScript snippet.
This is because JavaScript runs on the client-side (the web browser).
If JavaScript is able to access your PHP code from the client-side, then they'd be able to access it without JavaScript. That would mean that you've configured something wrong on the web server side, like setting permissions on your files so that anyone can view them.
Is allowing JavaScript to be uploaded by a CMS user a good idea?
You'll get some folks who will scream ABSOLUTELY NOT UNDER ANY CIRCUMSTANCE. These are the same people who say things like:
Using eval() is always evil. It's not always evil, but it's almost always unnecessary.
Using global or $_GLOBALS in PHP is evil. Again, it's only evil if you don't know what you are doing. And again, it's almost always unnecessary.
You should read that as a WARNING. Don't treat this issue lightly, if you are careful, you can do it, but if you are not, it can really bite you in the a**. That's reason enough for most people to stay away from it.
Before you decide for sure if you should or shouldn't allow users of your CMS solution to upload JavaScript snippets, you should ask yourself the following question:
Who will be allowed to upload JavaScript snippets?
If the only people who have access to this feature of uploading JavaScript modules are trusted system administrators, then you should consider it safe. I put that in italics because it's not really safe, but it does, at that point, fall on these trusted users to ensure that they don't upload something malicious.
Maybe you get Mary Neophyte, webmaster(amateur) extraordinaire who decides she wants a cool scriptlet on her CMS front page that displays the current weather in Anchorage, Alaska. She goes to Google, types in "JavaScript weather script", and arrives at Weather Channel. She decides their implementation is just too hard to install. She keeps looking. She arrives at Boris' Weather Script at http:/motherrussia.ru/ilovehackingidiots/weatherscript.html.
This isn't your fault when her CMS starts compromising her end users. She was the trusted administrator who uploaded a malicious script purposefully (though ignorantly). You shouldn't be held responsible for this type of behavior.
Long story short, you should be able to trust the trusted users of your CMS to be responsible enough to know what they are uploading. If they shoot themselves in the foot, that's not on you.
Allowing non-trusted users to upload JavaScript
This absolutely, positively, without a doubt is never something that you should do. It is impossible for you to screen every possible obfuscation that someone could upload.
I'm not even going to get into this further. Don't do it. Period.
Regarding HTML/CSS
Don't assume that malicious code can't make it onto your website via HTML/CSS. While HTML is much easier to sanitize than JavaScript, it can still be exploited to deliver undesired JavaScript to a page.
If you are only allowing trusted users to upload HTML/CSS, then don't worry too much about it. I stress again, It is Mary Neophyte's fault if she uploads Boris' Weather Script to her site. However, don't let Boris himself come to your website and start uploading anything that will get displayed on a web page to anyone but ol' Boris himself.
TL;DR
I'll summarize everything into two rules:
Don't allow untrusted users to upload anything that will be displayed to anyone other than themselves.
Don't let anyone upload anything at all that gets executed server-side.
Allowing custom JavaScript would probably be a very bad idea. That would make your site vulnerable to cross-site scripting attacks and allow it to be a vector for cross-site request forgery attacks against other sites.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
How can I obfuscate JavaScript?
Is it possible to make some of Javascript private and confidential so that certain things can remain confidential?
If you're asking whether or not you can prevent users from viewing your source, the answer is basically no.
Sometimes you can make it impossible to do right-click / view source, but people could simply use a tool like Firebug.
You can minify your code, but that doesn't hide it. It just makes it harder to comprehend.
I think what you are after is encrypting/obfuscating javascript code; you cant avoid but send your JavaScript code to the client.
The best you can do is obfuscate it, which is essentially making it harder to humanly read it. and here the SO reference if you want to go down that path
How can I obfuscate (protect) JavaScript?
I am not sure why you want to do this, is it to protect some of your own code, if so then its ok, but if you are planning on putting sensitive data such as usernames/passwords embeddeed into your javascript then please don't do so, its ok to go to the server to fetch stuff better being secure :-) happy coding.
This question already has answers here:
How can I hide or encrypt JavaScript code? [duplicate]
(7 answers)
Closed 7 years ago.
How to secure or hide javascript code on client side. Is there any way to doing so.
Thank You
Short answer: You can't/don't.
Longer answer: You cannot hide it at all. It runs on the client and it cannot be compiled to machine code.
However, you could minify it - that's basically obfuscating it by shortening variable names, removing whitespace, etc. While it's usually used to save bandwidth it also makes the code less readable.
Note that all but the changed variable names and removed comments can be easily undone by something like jsbeautufier.. but for a large application it's very hard to understand the code without any meaningful variable/function names or comments.
There is no such thing as 100% secure javascript code. This is because any code executed on the client's machine cannot be fully secure. Your best bet is to obfuscate your javascript and make it hard to read.
Your best bet is to ensure all vital secure code runs on the server, and allow javascript to do only simple, UI enhancing tasks on the client side.
As i know it is not possible. Only thing you can do it making the code very badly organized. Which will take longer time to find out actually what you are doing.
If you are searching this because of security reasons, you have to remember the only thing matters in security is the password-which is not put in the code. So find a nice way to encrypt you stuff. You can find many good ways on web.
This question already has answers here:
Closed 12 years ago.
Possible Duplicate:
Protecting client side logic & data
How can I block other from reading my JavaScript through view source?
My thing is, now one can access my JavaScript, because am not sure, but just guess some one from outside using some tool to changing my JavaScript events.
So how to make the authenticated?
You don't control the client, and javascript isn't compiled. Its a losing battle if you want to lock it down completely. The best you can hope for is a good obfuscator/compressor that would make it more difficult to read. You can also do it all in flash or something where you would have a bit more say, but you still don't control the client, and they can still decompile the source.
It's not entirely possible for you to block your JavaScript code from getting into the client side, since this is where they will get executed.
As you mentioned about changing the events, your Application must be developed in a such a way that such changes will not harm the Application at the server end. Of course, that particular user will be able to produce unanticipated output it his end, but these should hardly matter as he will be the sole viewer of those.
One side note though, there is something called code obfuscation, that is making the code deliberately unreadable. Some Web App developers resort to that. You could consider doing that.