The three values ensure that the data is being sent within the 3 second window to account for latency between the browser and the server The server checks the hashes against the current time stamp there. The client then sends the same 3 hashed values back to the server thru an ajax call to fetch the actual JS that I need. In some cases, I think you can hard-bake these values into a script section of HTML when the page is formed, and delete that script tag once the use of the hashes is over The server is CORS protected and does all the usual SERVER_NAME etc check (which is not much of a protection but at least provides some modicum of resistance to script kiddies).Īlso it would be nice, if the the server checks if there was indeed an authenticated user's client doing this These values are sent over to the client via Ajax to the client as a comma delimited string from my PHP module. One for the current timestamp, and the other two for each of the next 2 seconds. The server creates 3 hashed and salted values. This is how the algorithm works (roughly) Having said that in some cases I do this to put some hurdles in the way of those who want to take a look at the code. I agree with everyone else here: With JS on the client, the cat is out of the bag and there is nothing completely foolproof that can be done.
This obviously wouldn't help much if you're trying to hide the script itself. I don't know.)ĮDIT: I thought you were only trying to hide the location of the script. (Maybe you could use POST instead, to make it just a little harder for other people to see what you're doing. If you do this a lot, you might even want to set up a PHP page that accepts a GET variable with the script's name, so that you can dynamically grab different scripts using the same PHP.
(You might have trouble with this innerHTML may not be what you need, but you can experiment.)
#External jsp file secure code#
When this string returns to the JavaScript, have it create a new script tag, populate its innerHTML with the code you just received, and attach the tag to the page. Have the PHP locate the file (maybe on a non-public part of the server), open it with file_get_contents, and return (read: echo) the contents as a string. Instead of loading the script like normal, send an AJAX request to a PHP page (it could be anything I just use it myself). Just off the top of my head, you could do something like this (if you can create server-side scripts, which it sounds like you can): The rest of the encoding/decoding is trivial. That means that you can store a character (actual it's ascii code) in every pixel. And since the canvas pixel is represented by 4 values (rgba), each pixel can have a value in the range of 0-255. The idea behind this approach is that most browsers can use the canvas element to do pixel manipulation on images.
#External jsp file secure how to#
I recently came across a very interesting article written by Patrick Weid on how to hide your js code, and he reveals a different approach: you can encode your source code into an image! Sure, that's not bullet proof either, but it's another fence that you could build around your code. These are all just simple hacks that cannot, and I can't stress this enough: cannot, fully protect your js code, but they can sure piss off someone who is trying to "steal" your code. This way, only the browser could see the js file contents.Īnother interesting idea is that at the end of your script, you delete the contents of your dom script element, so that after the browser evaluates your code, the code disappears: ĭocument.getElementById('erasable').innerHTML = ""
That would be included in your main page my-page.php:
In this example, you'll need the external "js" (written in PHP) file myJs.php: In that case, if you have Īnd someone tries to access the myJs.js file in browser, he shouldn't be granted any access to the script source.įor example, if your page is written in PHP, you can include the script via the include function and let the script decide if it's safe" to return it's source. Off the top of my head, one idea is to restrict access to your external js files from outside the page you embed your code in. There are a few ways of making your code hard to be stolen, but as I said nothing is bullet-proof. Obfuscating your code is a good solution, but it's not enough, because, although it is hard, someone could decipher your code and "steal" your script. JavaScript is a client-side programming language, therefore it works on the client's machine, so you can't actually hide anything from the client. Good question with a simple answer: you can't!
0 kommentar(er)
