How to disable or encrypt "View Source" for my site

Question

Is there any way to disable or encrypt "View Source" for my site so that I can secure my code?

if you can teach users to decrypt the source, yes might be ... — RageZ, Nov 24 '09 at 07:58
If this is a public site, then hiding its contents is not feasible. — Andy West, Nov 24 '09 at 08:00
If you want something to be secret, don't put it on the web. — deceze, Nov 24 '09 at 08:01
I don't have enough Rep to edit, but I think it is a good question[with editing] to provide an answer to explaining the server side vs. client side web model — Bobby Borszich, Nov 24 '09 at 08:04

score 41 · Accepted Answer · edited Dec 20 '09 at 09:14

Fero,

Your question doesn't make much sense. The "View Source" is showing the HTML source—if you encrypt that, the user (and the browser) won't be able to read your content anymore.

If you want to protect your PHP source, then there are tools like Zend Guard. It would encrypt your source code and make it hard to reverse engineer.

If you want to protect your JavaScript, you can minify it with, for example, YUI Compressor. It won't prevent the user from using your code since, like the user, the browser needs to be able to read the code somehow, but at least it would make the task more difficult.

If you are more worried about user privacy, you should use SSL to make sure the sensitive information is encrypted when on the wire.

Finally, it is technically possible to encrypt the content of a page and use JavaScript to decrypt it, but since this relies on JavaScript, an experienced user could defeat this in a couple of minutes. Plus all these problems would appear:

Search engines won't be able to index your pages...
Users with JavaScript disabled would see the encrypted page
It could perform really poorly depending the amount of content you have

So I don't advise you to use this solution.

Could you please tell me how to encrypt a page content and make JavaScript decrypt. — Fero, Nov 24 '09 at 12:49
Who cares? If my browser can render something, I can get the source. — David Thornley, Dec 20 '09 at 18:52
@Fero JavaScript Encryption and Decryption http://www.vincentcheung.ca/jsencryption/ — Matthew Lock, Jul 30 '13 at 02:35

score 8 · Answer 2 · answered Nov 24 '09 at 08:00

You can't really disable that because eventually the browser will still need to read and parse the source in order to output.

If there is something SO important in your source code, I recommend you hide it on server side.

Even if you encrypt or obfuscate your HTML source, eventually we still can eval and view it. Using Firebug for instance, we can see source code no matter what.

If you are selling PHP software, you can consider Software as a Service (SaaS).

score 2 · Answer 3 · answered Nov 24 '09 at 07:59

So you want to encrypt your HTML source. You can encrypt it using some javascript tool, but beware that if the user is smart enough, he will always be able to decrypt it doing the same thing that the browser should do: run the javascript and see the generated HTML.

EDIT: See this HTML scrambler as an example on how to encrypt it: http://www.voormedia.com/en/tools/html-obfuscate-scrambler.php

EDIT2: And .. see this one for how to decrypt it :)

http://www.gooby.ca/decrypt/

David Waters · Answer 4 · 2009-11-24T08:05:33.563

Short answer is not, html is an open text format what ever you do if the page renders people will be able to see your source code. You can use javascript to disable the right click which will work on some browsers but any one wanting to use your code will know how to avoid this. You can also have javascrpit emit the html after storing this encoded, this will have bad impacts on development, accessibility, and speed of load. After all that any one with firebug installed will still be able to see you html code.

There is also very really a lot of value in your html, your real ip is in your server code which stays safe and sound on your server.

score 2 · Answer 5 · 2009-12-20T11:45:31.807

2

You cant. The browser needs the source to render the page. If the user user wishes the user may have the browser show the source. Firefox can also show you the DOM of the page. You can obfuscate the source but not encrypt or lock the user out.

Also why would you want this, it seem like a lame ass thing to do :P

edited Dec 20 '09 at 11:45

answered Nov 24 '09 at 07:59

score 2 · Answer 6 · answered Dec 20 '09 at 06:58

This is fundamentally impossible. As (almost) everybody has said, the web browser of your user needs to be able to read your html and Javascript, and browsers exist to serve their users -- not you.

What this means is that no matter what you do there is eventually going to be something on a user's machine that looks like:

<html> 
  <body> 
    <div id="my secret page layout trick"> ... 
    </div>
  </body>
</html>

because otherwise there is nothing to show the user. If that exists on the client-side, then you have lost control of it. Even if you managed to convince every browser-maker on the planet to not make that available through a "view source" option -- which is, you know, unlikely -- the text will still exist on that user's machine, and somebody will figure out how to get to it. And that will never happen, browsers will always exist to serve their users before all others. (Hopefully)

The same thing is true for all of your Javascript. Let me say it again: nothing that you send to a user is secure or secret from that user. The encryption via Javascript hack is stupid and cannot work in any meaningful sense.

(Well, actually, Flash and Silverlight ship binaries, but I don't think that they're encrypted. So they are at the least irritating to get data out of.)

As others have said, the only way to keep something secret from your users is to not give it to them: put the logic in your server and make sure that it is never sent. For example, all of the code that you write in PHP (or Python/Ruby/Perl/Java/C...) should never be seen by your users. This is e.g. why Google still has a business. What they give you is fundamentally uninteresting compared to what they never send to you. And, because they realize this, they try to make most things that they send you as open as useful as possible. Because it's the infrastructure -- the Terrabyte-huge maps database and pathfinding software, as opposed to the snazzy map that you can click and drag -- that you are trading your privacy for.

Another example: I'm not sure if you remember how many tricks people employed in the early days of the web to try and keep people from saving images to disk. When was the last time you ran across one of those? Know why? Because once data is on your user's machine, she controls it. Not you.

So, in short: if you want to keep something secret from your user, don't give it to her.

score 1 · Answer 7 · answered Nov 24 '09 at 07:59

1

I don't think there is a way to do this. Because if you encrypt how the browser will understand the HTML?

answered Nov 24 '09 at 07:59

Anuraj

18,859
7
53
79

There is a way anu.. Kindly visit ORKUT. They did it. – Fero Nov 24 '09 at 08:08
And i am in need to know how? – Fero Nov 24 '09 at 08:09
1

Orkut is mostly Javascript based. The source code that's there is there, nothing hidden really. – deceze Nov 24 '09 at 08:12
1

In Orkut they are using FRAMES for this purpose. If you are using FF you can right click and Check this Framesource. – Anuraj Nov 24 '09 at 08:28
1

Also you can use the inspection tools in certain browsers and extensions to see the end-result HTML anyway. – Annath Dec 20 '09 at 07:17

score 1 · Answer 8 · answered Nov 24 '09 at 07:59

No. The browsers offer no ability for the HTML/javascript to disable that feature (thankfully). Plus even if you could the HTML is still transmitted in plain text ready for a HTTP sniffer to read.

Best you could do would be to somehow obscure the HTML/javascript to make it hard to read. But then debuggers like Firebug and IE 8's debugger will reconstruct it from the DOM making it easy to read,

score 0 · Answer 9 · answered Nov 24 '09 at 08:32

0

Yes, you can have your whole website being rendered dynamically via javascript which would be encrypted/packed/obfuscated like there is no tomorrow.

answered Nov 24 '09 at 08:32

cherouvim

31,725
15
104
153

sorry. i can't understand.. kindly explain me in detail – Fero Nov 24 '09 at 09:48
2

Yeah, but if it's decrypted by javascript it's still being decrypted client-side and can easily be reverse engineered. As others have said, what is being asked for is fundamentally impossible. – Annath Dec 20 '09 at 07:15
@Annath: Well, technically the question says nothing about decrypting the page... – Niki Dec 20 '09 at 09:26
@Annath: Yes, but this raises the bar. – cherouvim Dec 20 '09 at 13:40

score 0 · Answer 10 · edited Jun 03 '17 at 07:25

You can, in fact, disable the right click function. It is useless to do so, however, as most browsers now have built in inspector tools which show the source anyway. Not to mention that other workarounds (such as saving the page, then opening the source, or simply using hotkeys) exist for viewing the html source. Tutorials for disabling the right click function abound across the web, so a quick google search will point you in the right direction if you fell an overwhelming urge to waste your time.

score 0 · Answer 11 · answered Dec 01 '18 at 16:10

There is no full proof way.

But You can fool many people using simple Hack using below methods:

"window.history.pushState()" and adding oncontextmenu="return false" in body tag as attribute

Detail here - http://freelancer.usercv.com/blog/28/hide-website-source-code-in-view-source-using-stupid-one-line-chinese-hack-code

You can also use “javascript obfuscation” to further complicate things, but it won’t hide it completely.

“Inspect Element” can reveal everything beyond view-source.

How to disable or encrypt "View Source" for my site

11 Answers11

Linked

Related