2

After my page has loaded, the script that's inside the body tags will be removed by the remove(); function:

<script>
$(document).ready(function()
{
    $('script').remove();
});
</script>

My question is if this is a good thing to do or if it's just useless.

EDIT:

var $data = [];
$data.push($('#login_form').serializeArray());
$.ajax({
    url: '<?php echo Router::url(array('controller'=>'account', 'action'=>'login'),true); ?>',
    type: 'post',
    data: {data:$data},
    success: function(result,status)
    {
        $('.message').html(result);
    }
});

The request goes via SSL. It queries some data from the database and returns this. That is excually all. And this is just one partically request I got about 50 of those requests. So would like to know how to make it a bit more secure.

Rens Tillmann
  • 474
  • 2
  • 7
  • 21
  • 1
    Why do you want to do this? – Marvin Emil Brach Jun 07 '13 at 13:16
  • I will update my question with the request I am making. All requests are made via an ajax request and will load a action inside my controller. I use CakePHP for this project. Se edit in my original question. – Rens Tillmann Jun 07 '13 at 13:34
  • Make a new question then. Let other benefit from what we all wrote down here... – Marvin Emil Brach Jun 07 '13 at 13:39
  • Already edited it sorry. – Rens Tillmann Jun 07 '13 at 13:40
  • What should be saver? Logins over SSL is standard and and the only thing to make it saver would be to don't publish it. Or am I missing / misunderstanding something? – Marvin Emil Brach Jun 07 '13 at 13:50
  • So I do not have to worry about data capture when using conection over SSL? And no you are not missing anything. – Rens Tillmann Jun 07 '13 at 14:37
  • 1
    Don't worry, be happy. You don't have to worry more than all other webdevelopers. Hackers are always a thread, but what you're doing is all we can do on developer side (at moment). The greater security hole were, are and always will be the users. For every System, there is a way to get into it ;) Only thing we can do is to make the effort greater. – Marvin Emil Brach Jun 07 '13 at 14:43
  • Ok I am happy than :) Your comment really allows me some comfort. Thank you! – Rens Tillmann Jun 07 '13 at 14:48

2 Answers2

3

It's useless to do, scripts loaded into memory don't dissapear if you remove the script tag.

adeneo
  • 312,895
  • 29
  • 395
  • 388
  • I know that the script will still function and this is also a good thing because I only wanted to remove the script from the html so when a hacker tries to look for a specific call function he won't be able to find it right? – Rens Tillmann Jun 07 '13 at 13:17
  • 3
    Built-in in browsers source code viewer is not updated when DOM is modified, so you will not see changes there. Remember, JavaScript is client-side language, so everything there is public. – Kristian Vitozev Jun 07 '13 at 13:19
  • No, the browser in first receives the complete HTML code, and so it is always visible. If you want to obfuscate what you're doing, use an obfuscater – Marvin Emil Brach Jun 07 '13 at 13:20
  • @RensTillmann - you wish, just clicking "view source" will still show your script, and removing the tag is not even close to secure. – adeneo Jun 07 '13 at 13:20
  • @adeneo What is the best way to secure ajax request then? Although it is of topic from my original question. – Rens Tillmann Jun 07 '13 at 13:22
  • @MarvinEmilBrach I will look into obfuscater. Thank you – Rens Tillmann Jun 07 '13 at 13:23
  • Always accept an answer if it helps you – thats thanks enough for everyone in the stack-exchange network ;) – Marvin Emil Brach Jun 07 '13 at 13:28
  • Kristian Vitozev is right, any obfuscaded code can be deobfuscated (decompiled, too). So if you really got code you would not offer, do the computation on server-side. – Marvin Emil Brach Jun 07 '13 at 13:32
  • 2
    @RensTillmann - There is no such ting as ajax or javascript clientside that is secure in a way that the user can't see it. obfuscating is one way to go, but just doing a google seach will turn up plenty of services that "beautify" the code back so it's readable! – adeneo Jun 07 '13 at 13:43
2

First it will remove all Scripts and second it will do nothing if you want to hide your code, the received HTML will always have the content as it was.

EDIT: How can I obfuscate (protect) JavaScript?

EDIT #2: Kristian Vitozev is right, any obfuscaded code can be deobfuscated (decompiled, too). So if you really got code you would not offer, do the computation on server-side.

Community
  • 1
  • 1
Marvin Emil Brach
  • 3,984
  • 1
  • 32
  • 62