Is there any way to white-list an IP Address using solely JavaScript or do I have to use php or some other server-side language? By white-list, I mean only a certain number of specified IP's can access a webpage. If this isn't possible with JavaScript, then please let me know.
Asked
Active
Viewed 1,877 times
-2
-
Javascript is client-side so could easily be bypassed. It would be best done via your webserver (Apache/IIS most likely) – Syntax Error Oct 16 '16 at 01:13
-
question a bit to open ended. what is the server software, or trying to do this in the browser and dong something like adblock / ghostry. is there any user authentication system, ACL (access control list) authentication or like script. if there is a block list there is a allowed list. are you dealing with a router / AP (access point) or like? – Ryan Sanders Oct 16 '16 at 01:50
-
Sorry, I am using Github to host a webpage. The method I was describing above wouldn't offer much security anyway. I was just curious to see if it could be done. Last time I checked, Github doesn't support server side languages. – YourEverydayCodingEnthusiast Oct 16 '16 at 01:56
1 Answers
1
It is possible but would be very easy to circumvent client-side IP checking. All a user would need to do is disable Javascript in their browser and they'd be able to access the site.
IP whitelisting is typically something that's done by the web server (Apache, Nginx, IIS); Not web applications (PHP, Python, NodeJS) and especially note client-side scripts.
- Apache: https://httpd.apache.org/docs/2.4/howto/access.html
- Nginx: https://www.nginx.com/resources/admin-guide/restricting-access/
- IIS: https://technet.microsoft.com/en-us/library/cc731598(v=ws.10).aspx
If you really want to do this client-side, you have to actually call out to a service that tells you what IP address you're using. See this SO question for examples of how to do this. You can then compare the IP address against an array of allowed IPs. If it doesn't match any, the easiest way to deny access is to redirect the user away from the site.
Once again, CLIENT-SIDE WHITELISTING IS INSECURE AND NOT AT ALL RECOMMENDED!
-
I've suspected as much, but, is there still a way to do it? I'm not trying to make it as secure as Fort Knox here, so anything would do. – YourEverydayCodingEnthusiast Oct 16 '16 at 01:16
-
@YourEverydayCodingEnthusiast it isn't adding any security if they can just open developer tools and bypass it instantly – abc123 Oct 16 '16 at 01:18
-
I'd pay attention to the advice you're getting, using js for anything related to access is pointless, with one exception: the entire page is built with js and with js disabled, there's literally nothing to see. Note also that bots will generally not execute js so js whitelists would do exactly zero to keep out anyone unwanted. Use php or another server side language, that's easy, trivial really, and will work. Anyone using noscript would never even suspect there was a whitelist running in the first place. – Lizardx Oct 16 '16 at 01:21
-
@YourEverydayCodingEnthusiast I've updated the answer with an explanation of how it can be accomplished with javascript. Now mark this question correct so I can go wash off the dirtiness I feel for even suggesting it. – Soviut Oct 16 '16 at 01:23
-
You're right, I guess anyone with any experience with web development could immediately bypass the security. I am just trying to prevent random joe schmoes from getting on the webpage. – YourEverydayCodingEnthusiast Oct 16 '16 at 01:26
-
The set up access control on your web server and whitelist the valid IPs. This is considerably easier than trying to lock out a client. – Soviut Oct 16 '16 at 01:29