5

I have disabled Google chrome developer tools on website. However one can still access it using below methods,

  1. Open another website say www.google.com
  2. Press F12 -> Developer console will open
  3. Visit my website -> Bingo chrome developer tools are now able to play with my website.

How can I disable this behavior ? How can I close Google chrome developer console if it is already open ?

Amit
  • 13,134
  • 17
  • 77
  • 148
  • 2
    What is purpose of closing developer tools? – guest271314 Aug 31 '16 at 20:33
  • One use case could be if we are hiding some buttons, links due to to user access settings. If that element is present in DOM user can simply go ahead and enable that link. Which we want to prevent. – Amit Sep 01 '16 at 07:09
  • _"If that element is present in DOM user can simply go ahead and enable that link."_ How would closing `console` or `devtools` prevent user from viewing source of document? Are you trying to disable `javascript` at `document`? Or prevent element from being changed by user? – guest271314 Sep 01 '16 at 07:14
  • 2
    You can exclude elements from initially being loaded into document, then request, append elements to document when user settings allow access to elements – guest271314 Sep 01 '16 at 07:21
  • 1
    @aProgrammer If an unauthorized user can load any page they are not meant to, then you clearly have flaw in whatever system you have for permissions. You can easily declare a rank for a user and then require all users accessing a certain page to be above that rank, if they are not the page simply outputs an error and does not execute any request. Regardless if they enable the link or not- you will be protected. – BinaryEvolved Sep 02 '16 at 22:08
  • 1
    Never trust the user. So don't do permission handling on the client side, do it on the server side e.g. by AJAX requests. – Frederic Klein Sep 04 '16 at 16:58

4 Answers4

9

There is no reliable way to prevent a client from modifying, or viewing any data sent to their browser.

I can't find a proper reason to ever want, or need to disable tools such as the F12 Developer tools in chrome. Nor would there ever be a way to perform such an operation so long as you are sending data.

Let's assume through some bug in Chrome, or by using javascript- you are able to disable access to the developer tools. That's great! But what prevents a user, malicious or not, from making a cURL request to your website and just saving the HTML for editing and viewing later? Nothing!

Practices you should follow instead of in-effectively preventing access to developer tools:

  1. Assume that all data sent to a client, at any time, is being saved indefinitely. This also means that at any time the client may view the source data for your website, for all versions of your website that have ever existed. Never send anything sensitive that may be used later even after the client loses authenticated access.
  2. Assume that a client may be using a browser that doesn't follow regulations. The browser may not execute or interpret your javascript, or may even modify it before final presentation to an end user. You should develop your website for compliant browsers, while at the same time understanding that you can't trust the client's javascript to determine if a user should be authenticated to a page or not, that kind of handling needs to occur server side.
  3. Ensure all pages of your website display the proper copyright and licensing terms. If your worry is theft of all your hard work: While it can be annoying to have a random user steal your website's design after hours of work on it. They are likely going to have little impact on your project. However, clearly stated licensing and copyright prevents anyone working for a company or school project for using your work with or without credit (depending on the licensing).

Even if someone is able to modify the source code for your website.. So what? It shouldn't matter assuming you follow the proper practices and guidelines. Authentication and logic is all handled on the server side of things, and javascript/html should only be used to enhance the user's experince- not perform critical logic or data interactions.

BinaryEvolved
  • 900
  • 9
  • 18
3

As per my knowledge this isn't possible

and is best avoided anyway. Even if a solution can be found, bear in mind that most browsers these days allow the user to prevent Javascript from interfering with their browser settings and window chrome, even when using window.open. So you've got absolutely no way of guarenteeing the behaviour that you're looking for.

But yes you can prevent F12 key using trick It might be helpful to you..

window.oncontextmenu = function () {
   return false;
}
document.onkeydown = function (e) { 
    if (window.event.keyCode == 123 ||  e.button==2)    
    return false;
}

I just tested this and its working for me ... http://output.jsbin.com/vayukuqubo

Its just disable disable rightclick & F12 on your page, but there is no way to stop a user from opening Dev Tools Menu > Tools > Developer tools

Anant Dabhi
  • 10,864
  • 3
  • 31
  • 49
  • I think we can't do it in bank websites. . . . – Amit Aug 24 '16 at 13:20
  • @aProgrammer Yes, we can't do anything because its a end users browser :). – Anant Dabhi Aug 24 '16 at 13:42
  • I mean we can't open developer tools in bank's websites. – Amit Aug 24 '16 at 14:27
  • 1
    You can still open devtools if you put cursor to the address bar. – loislo Aug 24 '16 at 20:46
  • btw it is not possible to prevent the user to get access to the sources of your page. – loislo Aug 24 '16 at 20:48
  • 1
    @aProgrammer As BinaryEvoloved explained, if you rely something on hiding the code you send to the client, it won't work. There are more ways to get client side code your than you think, even without dev console. There are [proxies](http://www.telerik.com/fiddler), there are [packet capturers](https://www.wireshark.org/), there are [memory scanners](https://en.wikipedia.org/wiki/Memory_address), there are [https attacks](https://yro.slashdot.org/story/16/08/04/1541248/new-attack-steals-ssns-e-mail-addresses-and-more-from-https-pages), all out of your control. Put important code on server. – Sheepy Sep 05 '16 at 02:38
  • @aProgrammer You can also use javascript obfuscator to..https://javascriptobfuscator.com/Javascript-Obfuscator.aspx – Anant Dabhi Sep 05 '16 at 06:36
3

In fact You should never disable control of the tools which are at client side, to make your website/data secure.

You can not prevent user to open the developer console from one or other way but there is a way to prevent user doing malicious activities/play with your website (terribly bad thing but possible). You can refer this question for the detailed understanding and solution.

The only reasonable way to protect your data is to write secure code on server side and remember that if you allow someone to download some data, he can do with it whatever he wants.

Community
  • 1
  • 1
Hemant Metalia
  • 29,730
  • 18
  • 72
  • 91
0

The best i can do is see if the user is in dev tools. Here is my code:

<!DOCTYPE html>
<html>
    <body>
        <pre id="output"></pre>
        <script type="text/javascript">
            var element = new Image;
            var devtoolsOpen = false;
            element.__defineGetter__("id", function() {
                devtoolsOpen = true; // This only executes when devtools is open.
            });
            setInterval(function() {
                devtoolsOpen = false;
                console.log(element);
                if (devtoolsOpen == true) {
                    // run code if dev tool are open
                } // else here if you like to see if dev tools are not open
            }, 1000);
        </script>
    </body>
</html>

Every second it will say if the user has dev tools open or not.

Alien 10
  • 71
  • 2
  • 8