2

Is there a way to hide credentials, such as password or authentication header tokens from user 's eye in a pure HTML/Javascript app?

The AngularJS App communicates against a rails backend via CORS running on a different domain.

Beside setting up CORS being more restrictive or checking against Domains in request on backend side, I wish to send auth tokens or add tokens to headers.

Does anyone know?

kind regards,

Alex

sp33c
  • 494
  • 1
  • 5
  • 15

2 Answers2

1

I don't think there is any way out. A smart user can get to it anyways.

techvineet
  • 5,041
  • 2
  • 30
  • 28
  • I see, I assumed. Could I add auth tokens invisible for users via .htaccess? – sp33c Sep 09 '13 at 07:07
  • No, once the page is out of web server, it does'nt have much control over it. Even if you get it from server at runtime, user can see what is coming. – techvineet Sep 09 '13 at 07:10
1

You can only restrict what your user sees by obscurity, which is not a very good Idea.

The key here is to set up your authentication in a way so it does not matter what the user can see or manipulate. One way to do this, is to send generated keys to your client and to your second server app every time your app needs to be authenticated. Restrict usage in a way that makes sense for your app. Another possibility would be registration.

A possible workaround would be to use one server as the only node the client is talking to while the server does all the work of talking to your other server. Especially if you don't want to give your user the possiblity to call the api of your second server outside of your app logic for some reason.

d23
  • 63
  • 5