I am trying to find a solution to detect if clients brower has javascript enabled or not.
Is there a way to check whether JavaScript is enabled in the client browser, in django if possible or in python?
Unfortunately, you can't do this unless trying a second request. There's no way to know this before actually interacting with the browser itself.
The closest I can think of is trying to set a cookie and store this information for future visits.
Hope it helps.
The right approach is to degrade gracefully, but that is not always possible especially with web app. Use a <noscript> tag to tell the user to re-enable javascript.
If you need a solution through django, set a cookie using JS and try to read it in the second request. If you dont see the cookie then JS is not enabled. However, as a first request it can't be detected.
Related
I am building a website which uses a lot of javascripts. I want to know if a user can edit the js too along with seeing it.
For example, I have an ajax function which calls a.php. Can user just edit the js function in firebug or something similar to make it b.php which I want don't want to be available to everybody.
Similarly, I call an ajax function with parameter x. Is it possible for a user to make that parameter y and then call that function.
Yes. Anything in the user's browser is under the control of the user.
You have control over nothing beyond the edge of your HTTP server.
Anything that is front end, that means, HTML, CSS javascript in any of its forms or any other scripting client side languages can be modified and it is your job as a web developer to expect them to be modified by curiosity of the user or just to try and find vulnerabilities.
That is why while having client side validations (javascript in any form or just HTML5 ones), it is also of utter importance that you actually validate this stuff on server side, with whatever language you are using (PHP, Ruby, ASP just to give a few examples).
On Chrome, users can easily press F12 on their keyboard to see your javascript/html/css code and try to modify it, we as web designers/developers do it as well for just inspiration, check out how something works, and well expect other people with different intentions to do it.
Same goes with Firefox, opera and pretty much any other web explorer.
Your job is not to prevent this, but to prevent that when someone changes something on the client side, the server side is ready to respond back in an appropriate way, preventing harm to the information on your servers.
To give a concrete example, that is why people take so much time in making sure queries to databases are sanitized, and not subjected to sql injections. More information about those here: http://www.unixwiz.net/techtips/sql-injection.html
So no, you can't prevent users from modifying your front end files, at most you can try some practices I've seen around like disabling right click (really annoying).
I am using jQuery to disable some form buttons. Simple stuff. But how can I prevent users from editing the DOM and enabling the button themselves so they can work around the restrictions I put in place?
You can't. The client is completely under the control of the user.
You can only handle what data you accept when it is submitted to the server.
Use client side code to make things convenient for users. Use server side code to enforce security and other restrictions.
You can't. The DOM is entirely handled by the browser. Once you've sent off the page to the client, it's out of your hands. All you can do is keep track of whether an action is allowed on the server, and allow or disallow it when they try.
You can't force the user to do anything, neither can you prevent them from doing anything. If you could, spammers would have a field day.
This is why EVERYTHING MUST be validated on the server-side.
You can't!!! Once the DOM is at the client side you don't have control over it the best way to ensure security is to handle it also via server side.
i'm new to use javascript
now i can edit my javascript code from browser using firebug.
any idea, to detect or avoid edited javascript from client browser ??
You can't.
You can (and should) use server side code to check that any data sent to the server is sane, but you can't do anything to stop people sending whatever data they like.
It is not possible to prevent people from tinkering with your js in the browser, since js is sent as-is, from the server.
You can however obfuscate your js to make it slightly harder to edit. (Another link)
Since you can modify the Javascript file when you are in Chrome and press F12, the developer tab, will anyone be able to modify the Javascript there and change the behavior of my site and therefore how it interacts with the server?
Reason I am asking is I want to decide whether to put a piece of code for validation (eg. check email) on the server side or the client side.
Yes, anyone can change the Javascript and HTML of your site to submit anything to your server. You can even change POST/GET requests as well (for example, this plugin is available to Firefox users: https://addons.mozilla.org/en-us/firefox/addon/tamper-data/).
Always have server side validation for any input.
You can never depend on client-side processing being secure. There are many ways to alter or bypass client-side javascript. Client-side validation is nice to be able to give the user a quick response if validation fails, but it should always be backed up by server-side validation.
You should use a double validation:
On the server side to prevent data corruption etc.
On the client side to help the user to fill quickly his form without the need to submit (using a check or cross sign when the user exits a given field
For the business sake, you should only rely on the server side to determine if an given input is valid.
a savvy individual can modify the javascript in their browser, but that only affects their browser.
So yes, someone could disable a validate mechanism implemented in JS, which is why you need to validate on the server.
Anyone can modify the code in client-side but only users with FTP or other thing permissions can modify them server-side.
You should always do validation in server side. If you want (for example make server load smaller) you can make client side validation but it is not enough, since user can easily disable JavaScript.
I have a problem where I cannot identify visitors to my intranet page because their browser is configured to use a proxy, even for the local intranet. I always see the proxy IP and no other details about the client. The SOE that my company uses has the proxy set up already for Firefox and Internet Explorer, and I cannot ask them to reconfigure their browser because that is fairly complicated. I have tried using the PHP $_SERVER['REMOTE_ADDR'] and also one called $HTTP_SERVER_VARS['HTTP_X_FORWARD_FOR']. In fact, I wrote a page that lists both the $_SERVER and $HTTP_SERVER_VARS arrays and there was nothing informative of the actual client connecting. This is why I think it needs to be done on the client's side.
I'm not looking for a secure solution because it is only a simple page, so I was hoping that I could use Javascript or something similar to find something revealing about the client and send it to my intranet page as a GET variable. It's basically for collating statistics. It is no use telling me most of the visitors are a proxy! :)
I also want to avoid having users log in if possible.
You could use a cookie with a random, unique ID that's set upon the first entrance, and then used for identification. Could be done either in JavaScript or in PHP.
I am pretty sure there's no universal way to do this otherwise the whole concept of anonymous proxies go down the drain :)
My advice would be to ask your IT department to configure the proxy to populate the HTTP-X-FORWARD-FOR, REMOTE-ADDR or some other identifying header.