1

Is it possible to send javascript code to a client, and have it send back information to a server, without the user being able to intercept it, see it, or alter it. As far as I know this is not possible, but I am unsure about certain realtime protocols like socket/ajax. Could somebody intercept a web socket?

If this is not possible, is there a clever solution to verify that the code was not altered, or at least make it more difficult for the code to be altered? Perhaps Dom Mutation-Events? What about obfuscating certain sensitive parts of the code/data?

ie: How does Google Analytics know that a given user has not created false data?

Chris St Pierre
  • 350
  • 1
  • 10
  • Do you absolutely need to send js or can you dynamically just create a cookie that can be interpreted on the server side? Trying to figure out what exactly your goal is. – Catherine Smith Apr 14 '16 at 04:13
  • Short answer is no. Long answer is see [this question](http://stackoverflow.com/questions/1660060/how-to-prevent-your-javascript-code-from-being-stolen-copied-and-viewed) – Aaron Gillion Apr 14 '16 at 04:14

1 Answers1

2

No.

Anything client-side is up for grabs and can be read, stolen or changed.

Never trust anything the client sends to your server. Even if generated by client-side code, the client-side code could have been altered meaning the data is unreliable. Even Flash can be decompiled, or the requests sent through the host browser can be manipulated.

The trust level only extends to the fact that you can reasonably expect data not to have been altered in transit when HTTPS is used (of course caveats apply). This is only a trust relationship between the user and server though, so does not account for malicious users of your application or if the user has been compromised.

SilverlightFox
  • 32,436
  • 11
  • 76
  • 145