2

I have written a lot of functions which use ajax to call PHP functions in my main.js file. The problem is that anyone can see my logic and internally called php file names of website by viewing the page source. How should I prevent the people from viewing my javascript file?

user2998401
  • 67
  • 4
  • You can't. Assume anything you send to the browser can be read by anyone who wants to. –  Nov 16 '13 at 06:30

4 Answers4

5

Javascript can be obfuscated, but there's nothing that's going to prevent a client from

  1. seeing the URL strings in your code, or
  2. simply inspecting the HTTP requests themselves to determine what URLs are being hit.

This re-enforces the importance of making sure you write solid and secure server-side code. You also want to make sure your web server is configured and secured properly, so that (for example) clients are unable to download the PHP source directly.

zzlalani
  • 22,960
  • 16
  • 44
  • 73
Jud
  • 1,158
  • 1
  • 8
  • 17
2

You can't stop people from viewing your javascript file, because the readable javascript code is required to correctly execute that code on your page. You can obfuscate the function names and minify the javascript to make it harder to read, but if someone wants to read the file, this will not stop them from doing so.

Instead, you should assume that everyone knows everything about your javascript file, and that everyone is able to alter your javascript file. You shouldn't put any validation solely in your javascript file and in every php page you should somehow check if the request that is made is valid (e.g. was the user allowed to do an ajax request to a certain page at a certain time?).

Sumurai8
  • 20,333
  • 11
  • 66
  • 100
  • 1
    Security features should *never* be in Javascript files. Validation, however, is useful. – Jud Nov 16 '13 at 06:33
  • Uhh; that was what I meant. I just couldn't think of the name. Changing that now. – Sumurai8 Nov 16 '13 at 06:34
  • 1
    @Sumurai8 - OK! It means in each and every php page while executing the real code, I have to check the $_SESSION, $_POST variable values to ensure that whether this php file is accessed by valid step or by tricks by reading the js file? – user2998401 Nov 16 '13 at 06:38
  • @user2998401 Partly, yes. You should always check if all variables you need are present, and not malformed (e.g. "asdf" in a variable that requires an integer). For some pages you probably don't care how someone accessed it (e.g. a page that sends all the comments in html format), but if the page should only run under certain circumstances (e.g. the user is admin and did click the delete comment button), you should check those circumstances somehow. A one-time secret can be useful in these cases. – Sumurai8 Nov 16 '13 at 06:58
  • @Sumurai8 - okay, thanks Sumurai for this info. I will keep them in mind. – user2998401 Nov 16 '13 at 07:01
0

You can't able to hide the Javascript in browser, If you did that, your javascript related operations won't run.

Krish R
  • 22,583
  • 7
  • 50
  • 59
0

you cannot hide javascript files. but you can minify the code so that, it will be very difficult for a man to read and understand your logic and all. something like this

http://code.jquery.com/jquery-1.10.1.min.js

SHIN
  • 386
  • 2
  • 13