0

I have a web site that is protected by forms authentication and it shows some HTML pages that have some dynamic content being provided by javascript files.

But how do I stop an authenticated user from viewing my javascript files?

So lets say my users are at this url:

http://mywebsite/render/html/mainpage.htm

How do I stop a user entering this url and viewing my javascript:

http://mywebsite/render/jscript/myjsfile.js

So I tried this in my web.config but it just stopped my javascript from working:

<location path="render/jscript">
    <system.web>
      <authorization>
        <deny users="*"/>
      </authorization>
    </system.web>
</location>

I'm assuming this must be possible and something really simple I'm missing...

sbarnby71
  • 584
  • 4
  • 7
  • 21
  • 1
    You can't. Is your `.js` that secret and exclusive? `but it just stopped my javascript from working:` - yes because the browser needs to access it in order to run it. – Nick R Oct 28 '15 at 15:14
  • Like everyone else said, you can't. But you could obfuscate them, so the casual user wouldn't be able to read them, but if they're looking at them then chances are that won't help either. – Coz Oct 28 '15 at 15:15
  • Possible duplicate of [How can I limit the serving of a javascript file to only authenticated users?](http://stackoverflow.com/questions/23879769/how-can-i-limit-the-serving-of-a-javascript-file-to-only-authenticated-users) – Blue Oct 28 '15 at 15:15

2 Answers2

1

I apologize, I thought you said, how do I stop unauthenticated users from browsing javascript files. Put simply, this isn't possible. Javascript is a clientside language, and therefore needs to be parsed by the browser, which requires users to be able to view/download it. If you're looking to secure this code, I recommend moving pieces to server side processing, or as a temporary stop gap, obfuscate the code, which will make it non human readable (Although there is a fair amount of deobfuscators out there, so this isn't a real solution.)

Blue
  • 22,608
  • 7
  • 62
  • 92
  • thanks for the info guys, yes that makes sense about the javascript being client side, just would have been nice to hide the workings from the end users, but hey. – sbarnby71 Oct 28 '15 at 15:24
1

Javascript is client-side code and as any other client-side code, once it reaches the client it is owned by the client. Thus, every javascript code you send to browser, can be seen by the client.

You can try to make the code less readable by minifying and obfuscating it. But you simply can't create a javscript functionality and stop access to the code behind that functionality.

Valentin S.
  • 504
  • 2
  • 10