0

Hello i am creating a form in which user have to find password to access the other page.As I am hard codding correct password in my if condition.Some users will inspect it and know the password.So I am struggling to hide my if statement or even all JavaScript code from being inspected. 

<!DOCTYPE html>
<html lang="en" >
<head>
  <meta charset="UTF-8">
  <title>Login Form</title>
  <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css">
<link rel="stylesheet" href="./login/style.css"><script src="https://cdnjs.cloudflare.com/ajax/libs/prefixfree/1.0.7/prefixfree.min.js"></script>

</head>
<body>
<!-- partial:index.partial.html -->
<div class="login">
    <h1>Login</h1>
    <form method="post">
        <input type="password" id="password" name="p" placeholder="Password" required="required" />
        <button type="button" value="Login" onclick="checkPassword()" class="btn btn-primary btn-block btn-large">login</button>
    </form>
</div>
<!-- partial -->
  <script  src="./login/script.js"></script>

</body>
</html>       <script>
      function checkPassword(){
       if(document.getElementById('password').value == 'layriix'){
          location.href = "https://gunsellerlayr.000webhostapp.com/gunseller.html";
         } else {
         alert('Wrong Password!');
          return false;
        }
       }
      </script>
Ahmed Ali
  • 1,908
  • 14
  • 28
Lxf7x
  • 15
  • 1
  • There are ways to obfuscate JS code, but since 000webhostapp.com supports PHP, you can just actually send the form and compare the password server-side. –  Sep 14 '19 at 09:41
  • simple answer - you can't. If it need to run in the browser, it can be seen by end user - change your logic so server holds sensitive data – Jaromanda X Sep 14 '19 at 09:41
  • 1
    Possible duplicate of [How can I obfuscate (protect) JavaScript?](https://stackoverflow.com/questions/194397/how-can-i-obfuscate-protect-javascript) – Ahmed Ali Sep 14 '19 at 09:44

2 Answers2

0

Since, I can't comment. I will try to list out everything in an elucidated manner.

Firstly, answering your main question, there is no way to hide client-side code, that is the JavaScript that you are serving to the browser. You can maybe try obfuscating it, but if it is being served to a client, you cannot really hide it.

Now, what you are attempting to do, is frankly not a thing you should be doing. Passwords on the client side are in no way a method to validate somebody. What you would want to look into is sending this password as a body of https post request, and then doing the validation of the password server side.

Secondly, there also happens to be absolutely no method of preventing a user going to the page, that you are trying to prevent them from going to. Instead of trying to even write the password. They can simply copy and paste it in the url window, or run the location.href in the console.

To put it better, if you want to authenticate somebody, you HAVE to do it server side and secondly you have to prevent access to the page, from users that are not logged in.

Aaditya Sahay
  • 34
  • 6
-1

You can obfuscate it, but there's no way of protecting it completely.
Tool Link : obfuscator.io

Ahmed Ali
  • 1,908
  • 14
  • 28