0

I am trying to find a way to protect/hide/encrypt my JavaScript code. With a little research I get that you can not do that. I found only that you can minify your code and do some other tricks. However in Facebook if you try to inspect an element or try to debug, you get a message in the console and you cannot see any code. How can I do that? Is it safe? I am working with fire base and I use JavaScript for getting data and authentication. It is important to ensure that my code is protected.

Sergio Tulentsev
  • 226,338
  • 43
  • 373
  • 367
Giorgos Karyofyllis
  • 119
  • 3
  • 12
  • It's important to distinguish between "I can't see any code" and "there's no code". I assure you, the code is still there. – Sergio Tulentsev Jan 29 '17 at 07:49
  • Reading this [question](http://stackoverflow.com/questions/21692646/how-does-facebook-disable-the-browsers-integrated-developer-tools) might help you. – Daniel Lagiň Jan 29 '17 at 08:00

3 Answers3

7

You can't protect JS code - it resides on the client and needs to be readable by the browser. You can obfuscate it, but that's it. If you have IPR that you wish to protect, keep it server-side.

Also, please don't use JS for any form of authentication! Same goes for validation of data - sure, use it for quick client-side error highlighting, but complement it with server-side validation too.

Otherwise, anyone with tools such as Burp Suite will have a field day.

Simon Catlin
  • 2,141
  • 1
  • 13
  • 15
1

You can't. You can minify or use other obfuscation techniques, but ultimately, the source is always available otherwise the browser wouldn't be able to run it. So don't try to do any sort of authentication or security that doesn't talk to a server for verification.

Facebook doesn't hide their source either. I assume you're talking about the Stop! message.

enter image description here

That's just a message they print in the console using some console.log() commands with styles. It's meant as a warning to prevent naive end users from running code as part of a scam.

To see the HTML, just click on the Elements link in the Chrome developer tools.

enter image description here

Or just prefix any URL with view-source: like view-source:https://www.facebook.com/.

Soviut
  • 88,194
  • 49
  • 192
  • 260
-1

I just wanted to share with everyone who has the same problem, Firebase gives you the option to set the rules for the application. https://firebase.google.com/docs/database/security/quickstart

Giorgos Karyofyllis
  • 119
  • 3
  • 12
  • The security rules explained in that link do not relate at all to JavaScript or protecting your source code, they're only for data access purposes. Unless the source code you want to protect is read from the database, it won't do anything (and you would still need to serve the authentication and data access code publicly to be able to use that). – Mismatch Aug 15 '18 at 21:50