How to hide app.js, controller.js files or code?
They are visible in html source. Is there anyway to hide them?
Asked
Active
Viewed 4.1k times
13
-
You cannot hide but you can always minify your script. Search for javascript minification. – Chandermani Oct 20 '13 at 09:55
-
Angularjs code is javascript, and js is always visible to user, though you can obfuscate it. – defau1t Oct 20 '13 at 09:55
-
@defau1t Thank you for your answers.. But i dont mean angularjs it self.. for example my controller and route codes visible to user? i use php for backend. is it not a vulnerability that my controller and route codes visible to user? sorry for my english – OMahoooo Oct 20 '13 at 09:59
-
I don't think there is any problem with that. Take a look at this angular site, http://fontdragr.com/ if you do a view source you could see all the services, factories, directives in view source. – defau1t Oct 20 '13 at 10:45
-
2All your actual security checks should be done server-side anyway. All you do with angular/js/html is to give a presentation to the user. All the sercurity features you got in angular itself are for the user using his browser, not for preventing him to do anything wrong... – s-hoff Sep 17 '14 at 20:13
5 Answers
15
This cannot be done.
But you can use tools for minify the sources. See Google Clousure and ng-min for angular.js
I recommend you to use grunt to build one single js file for you application, with all of your code minified. Take a look at those projects that may be useful: ng-boilerplate and yeoman - angularjs
Deividi Cavarzan
- 10,034
- 13
- 66
- 80
10
You cannot hide angualrjs. Its based on Javascript. To minify, doesn't help because anyone can convert it back to human readable view (sure if anyone wants to steal your code). Any sensitive logic try to put on server side.
Hope it will hep,
Maxim Shoustin
- 77,483
- 27
- 203
- 225
-
I am sorry if it sounds like a noob but I am fairly new server-side JS programming and quite intrigued by how it all works. How is it possible to keep sensitive logic on the server? – praneybehl Dec 03 '13 at 06:45
-
@praneybehl means to write it with PHP/Java but not on client side – Maxim Shoustin Dec 03 '13 at 08:18
4
You can hide your javascript code using NGINX server subrequest.
If you have /admin route in angular, backbone or other js framework and you want to hide it for unauthorized users, you can make subrequest in NGINX to backend, which checks if user is authorized. If not, then you throw 404 or make redirect to homepage.
This is nginx module which contains more details: http://nginx.org/en/docs/http/ngx_http_auth_request_module.html
The code in NGINX looks more or less like this:
location ^~ /admin {
# checking in background if user is privileged
auth_request /auth;
root /var/www/angular-client/;
}
location = /auth {
proxy_pass http://backend.cms/api/v1/users/admin.json;
proxy_set_header X-Original-URI http://backend.cms/api/v1/users/admin.json;/
}
4
- minify
- uglify
along with minify you must uglify your code, which make it difficult to understand, it will renames the variables and function in very ugly manner, not easy to break the code.
Also you can encrypt it well, you have and have to decrypt when it is needed to use, and that can't be remain hidden from the front end tools
Ankit Balyan
- 1,319
- 19
- 31
-
-
@AnkitBalyan That doens't encrypt you JS code, thats just not possible. How would your browser be able to run the JS code if its encrypted code!? – Red Mar 09 '19 at 22:24
-
@Red That's exactly what I've mentioned in my answer. "you have and have to decrypt when it is needed to use, and that can't be remain hidden from the front end tools" – Ankit Balyan Mar 13 '19 at 10:57
3
This is the natural behaviour of a front-end framework; you do not hide the source code. There should be no sensitive data whatsoever in your front-end, especially no passwords. Just like Stack Overflow, all the font-end code is and will always be visible to the user.
subZero
- 5,056
- 6
- 31
- 51