0

I have a csv file on the server side which is retrieved by the client with a jquery ajax call.

I'd like to hide the text from prying eyes and also ensure the .csv file cannot be viewed or opened using client tools other than my code.

learnerplates
  • 4,257
  • 5
  • 33
  • 42
  • 1
    Good luck. If javascript can see it, so can the client. You can't have something be sent to the client's page and not expect the client to have visibility. – Brad Christie Jan 26 '15 at 16:42
  • 1
    You cannot send data to the client without letting the client see that data. – SLaks Jan 26 '15 at 16:48

1 Answers1

1

Clients can view whatever data is sent across the wire. So if you don't want them to have the data, don't send it to them.

However, you can make it difficult for them to see the information by encrypting it on the server and then decrypting it on the client. See Encrypt and decrypt a string. Even then, a clever user could examine the memory used by the application. And encryption is a difficult thing to properly implement.

In the end, you're fighting a losing battle though. Is the person authorized to view the data? If so, then just give them the data. If not, then don't send them the data in the first place.

Community
  • 1
  • 1
mason
  • 31,774
  • 10
  • 77
  • 121
  • 1
    And if the client needs it, the decryption algorithm will be present on the client--and now you're back to square one. – Brad Christie Jan 26 '15 at 16:44
  • @BradChristie Yes, excellent point. It will only keep the non-technically inclined people from seeing it easily. – mason Jan 26 '15 at 16:46
  • Is there no way to give the client access to a ready made encryption/decryption algorithm? though the web.config or something? – learnerplates Jan 26 '15 at 17:23
  • 1
    @learnerplates Yes, there is, but that's the problem. If the client has the encryption/decryption keys, then they can access the data. It's like me handing you a locked box and the key and then not expecting you to be able to open the box with the key. – mason Jan 26 '15 at 17:31
  • I see yes. And even with Public Private Key encryption the question would still be where would the private key live (there is no login or anything for my app, its a public facing site, I just want to prevent sniffing). – learnerplates Jan 26 '15 at 17:38
  • @learnerplates Yes, exactly. With encryption, you're trying to protect the data while it's in transit (the usual way of doing that over the web is HTTPS) so that a 3rd party can't see the information. But it's not good at preventing the client from using it, that just wouldn't make logical sense. – mason Jan 26 '15 at 17:51