How to hide html source & disable right click and text copy?

Question

The following website has both right click and view source disabled.

http://www.immihelp.com/visitor-visa/sponsor-documents.html

Can anyone shine some light on how this is possible?

Press Control+U on that site... I see plenty of source code :) — James Allardice, Jul 06 '11 at 13:35
Whoa, a 'right-click disabled' script. Flashback from 10-15 years ago! — Devin Burke, Jul 06 '11 at 13:38
Whenever a page prevents me from doing thus, I find it my solitary goal to view the source -- makes me happy for a short few moments before reality sucks me back in. — George Johnston, Jul 06 '11 at 13:41
From the HTML-source of the linked page: "Contents of this webpage can't be seen as they are not meant to be viewed or copied." Yeah, who don't want a website, which contents aren't viewable? And my Opera settings doesn't allow to override the right-click via JavaScript or Plugins… — feeela, Jul 06 '11 at 14:06
Firefox and Chrome can disable the stupid right-click popups, so right-click works as expected. Goodbye, right-click-disable script. — Kevin Ji, Apr 09 '12 at 20:09
what about an html encrypter http://www.iwebtool.com/html_encrypter — php_javascript_html_dev, Jan 10 '13 at 11:52

score 101 · Accepted Answer · answered Jul 06 '11 at 13:34

101

The following website has both right click and view source disabled.

They fooled you. Just scroll down in view-source.

Furthermore, employing such tactics marks you as unprofessional. Don’t do it.

answered Jul 06 '11 at 13:34

Konrad Rudolph

530,221
131
937
1,214

3

Disabling right click is a usability attack, but simple tricks like loads of newlines on the beginning or prevent direct download of images with other wrapping images is working for 99% of the users so it's quite effective and doesn't cause any harm. Just because 1% of the population can easily circumvent it doesn't mean it useless. – Karoly Horvath Jul 12 '11 at 20:30
18

@yi_H It’s still useless because you are protecting a worthless asset, at the expense of (1) either decreasing readability of your own code (which you have to maintain) or (2) having entirely useless view logic in your web application. This seems *quite* unprofessional to me. Furthermore, the 1% who can circumvent the “security measure” is the only 1% actually interested in the code in the first place. – Konrad Rudolph Jul 12 '11 at 20:32
1

If you think that only that 1% of users want to download images you are seriously misguided. – Karoly Horvath Jul 12 '11 at 20:44
1

@yi_H I think that only 1% (much less, actually) who want to download images would know to look for them in the source code. – Konrad Rudolph Jul 12 '11 at 20:50
That's why I gave the wrapper image example. But anyway.. I'm not saying hiding content is a good idea (it's up to the owner what he wants) I'm just saying it works. – Karoly Horvath Jul 12 '11 at 20:55

score 33 · Answer 2 · answered Jul 06 '11 at 13:34

33

They do this with some basic javascript, but this does not actually hide your HTML source! In many browsers you can simply go to view->source on the menu. Even if you couldn't, it is trivial to simply load up a debugging proxy like Fiddler, or packet-sniff the connection.

It is impossible to effectively hide the HTML, JavaScript, or any other resource sent to the client. Impossible, and isn't all that useful either.

Furthermore, don't try to disable right-click, as there are many other items on that menu (such as print!) that people use regularly.

answered Jul 06 '11 at 13:34

Brad

159,648
54
349
530

zapreaction.com they have disable CTRL+U . I am looking how they done it,. No source view nor you can right click. – Jarnail S Aug 26 '16 at 05:05
@Jai Well for one they're using an iframe to load `/home.php`. I know this because I can view their source code using the methods I described in my answer. Just hit F+12 (in Chrome anyway) or otherwise open your developer tools. Also, any site doing this that is advertising to be a web development/SEO agency is not someone I would ever use. – Brad Oct 27 '16 at 15:46

Jishnu V S · Answer 3 · 2021-03-02T09:22:41.847

15

This code is used for disable the right click events and keyboard shortcuts.

Just try with this code

document.onkeydown = function(e) {
    if(e.keyCode == 123) {
     return false;
    }
    if(e.ctrlKey && e.shiftKey && e.keyCode == 'I'.charCodeAt(0)){
     return false;
    }
    if(e.ctrlKey && e.shiftKey && e.keyCode == 'J'.charCodeAt(0)){
     return false;
    }
    if(e.ctrlKey && e.keyCode == 'U'.charCodeAt(0)){
     return false;
    }

    if(e.ctrlKey && e.shiftKey && e.keyCode == 'C'.charCodeAt(0)){
     return false;
    }      
 }

edited Mar 02 '21 at 09:22

answered Oct 15 '16 at 00:49

Jishnu V S

8,164
7
27
57

it just disables the keyboard shortcuts, nothing else – Darksymphony Apr 28 '22 at 11:26

score 14 · Answer 4 · answered Jul 08 '14 at 07:03

14

 <body oncontextmenu="return false">

Use this code to disable right click.

answered Jul 08 '14 at 07:03

Nikhil Dinesh

3,359
2
38
41

score 13 · Answer 5 · edited May 23 '17 at 12:32

Hiding HTML source isn't really possible. Disabling right-click only frustrates users who wish to do something constructive with your content (copy/paste content or forms, or print, for example).

If you're running a server-side scripting language you could obfuscate or minify the HTML, CSS and Javascript. This will make it harder for someone to copy your code or see how you've achieved certain effects.

score 13 · Answer 6 · answered Jul 06 '11 at 14:02

13

It's a horrible thing to do, as everybody else has said, but if you really are intent on doing it, use this code, and put a load of returns at the top of the page's source:

<html>
  <head>
    <script>
      function disableClick(){
        document.onclick=function(event){
          if (event.button == 2) {
            alert('Right Click Message');
            return false;
          }
        }
      }
    </script>
  </head>
  <body onLoad="disableClick()">
  </body>
</html>

answered Jul 06 '11 at 14:02

Grezzo

2,220
2
22
39

1

Man, this is great, it only works for Mozilla though not for Chrome, why? – pancy1 Sep 30 '16 at 07:21
It looks like `onclick` isn't fired for a right click in chrome (I think it used to be), change it to `onmousedown` and it will work for chrome – Grezzo Sep 30 '16 at 12:18

score 11 · Answer 7 · edited May 23 '14 at 11:00

11

You can still view the source on the website by going to View > Page Source from the toolbar in firefox. Or View > source in IE.

The right-click is disabled via javascript. The source for the javascript is:

http://www.immihelp.com/common/utils.js

edited May 23 '14 at 11:00

katalin_2003

787
1
16
30

answered Jul 06 '11 at 13:35

Taryn

242,637
56
362
405

score 9 · Answer 8 · answered Jul 06 '11 at 13:37

Believe me, no one wants your source as much as you may think they do. When you decided to develop web pages, you became an open source developer.

It's not possible to disable viewing a pages source. You can attempt to circumvent unknowledgeable users from seeing the source, but it won't stop anyone who understands how to use menu's or shortcut keys. Your best bet is to develop your site in a manner that will not be compromised by someone seeing your source. If you're attempting to hide it for any other reason than to protect your intellectual property, then you're doing something wrong.

score 7 · Answer 9 · edited Mar 13 '20 at 13:33

7

You potentially can not prevent user from viewing the HTML source content. The site that you have listed prevents user from right click. but fact is you can still do CTRL + U in Firefox to view source!

edited Mar 13 '20 at 13:33

ROOT

11,363
5
30
45

answered Jul 06 '11 at 13:33

Prashant Bhate

10,907
7
47
82

3

`Ctrl+U` works in nearly every browser I've ever saw. Lynx is an exception. – feeela Jul 06 '11 at 14:12
1

zapreaction.com they have disable CTRL+U – Jarnail S Aug 26 '16 at 05:04
1

@prashant Bhate http://stackoverflow.com/a/40053874/6572922 this link will remove the short keys and right click – Jishnu V S Dec 01 '16 at 01:43
if your content is generated by ajax, the source code shows just empty tag without content, that is how I do it – Darksymphony Apr 25 '22 at 17:26
if you inject your code with ajax from backend, the source code will show just empty tags, so user can do CTRL+U as many times he wish :) – Darksymphony Apr 28 '22 at 11:27

score 5 · Answer 10 · edited Dec 30 '17 at 22:29

5

If you are using jQuery, it is possible to disable rightclick on the whole page like this:

$( document ).ready(function() {
    $("html").on("contextmenu",function(){
        return false;});}

edited Dec 30 '17 at 22:29

Adam Kaplan

1,954
17
16

answered Dec 30 '17 at 21:55

Gilbert Cut

113
1
12

This answer assumes jquery is included and available, right? I don't think the answer stands on it's own as is. – Adam Kaplan Dec 30 '17 at 22:24
The answer provides working solution. jQuery is JavaScript library easy to use. I assume "contextmenu" has equivalent in JavaScript as well... – Gilbert Cut Jan 02 '18 at 03:56

score 5 · Answer 11 · answered Jul 06 '11 at 13:36

View source is not disabled in my browser (Chrome).

But they have added a lot of blank lines to the source, so you have to scroll down to view it. Try to scroll down and you will see.

the disabled right click is possible with javascript, but dont do it. Its very irritating for the user.

I haz kode · Answer 12 · 2017-08-18T08:21:09.590

3

You can't.

ANYTHING that can be read by the browser can also be read by humans. If you want something hidden, don't send it to the user's browser.

You can add all sorts of gimmicks and tricks to disable right-click and disable ctrl+U

All a user has to do is add view-source: to the url and they will see the source right away.

Example

view-source:https://stackoverflow.com

edited Aug 18 '17 at 08:21

answered Aug 18 '17 at 06:49

I haz kode

1,587
3
19
39

No, I am pulling my content in php file from DB and via ajax I am injecting it to HTML template. So if the user views the source, he will see only empty HTMl tags without content. If he disables javascript, the content is not injected at all. – Darksymphony Apr 28 '22 at 11:32

score 2 · Answer 13 · answered Jul 30 '13 at 03:52

You cannot effectively hide your HTML and JavaScript code, even if you encrypt or minify it.

If the code you're trying to hide is really sensitive, it should either be in a protected area of the site, i.e. an area that you can only access via a username and password, or potentially in a client application that isn't exposed via the web.

If you have to expose the application functionality via a web frontend, you could use Silverlight to write the frontend or bits of the frontend. In the old days you could also use ActiveX.

score 2 · Answer 14 · edited Oct 25 '16 at 22:48

2

<script>
$(document).ready(function() {
    document.onkeydown = function(e){
        if (e.ctrlKey &&
            (e.keyCode === 67 ||
                e.keyCode === 86 ||
                e.keyCode === 85 ||
                e.keyCode === 117)) {
            return false;
        } else {
            return true;
        }
    };
});
</script>

edited Oct 25 '16 at 22:48

nyedidikeke

6,899
7
44
59

answered Jun 17 '15 at 12:52

Ashwin Upadhyay

151
5

score 2 · Answer 15 · answered Aug 16 '19 at 18:15

I have constructed a simple self checking php file, it only allows real loading by humans, and not robots like ( online source code viewer's ) ..

I'm not sure about View Source from Chrome, but it does block access to the html... Not just obfuscation, it uses a bounce back submittance to validate loads.

The short code was still visible in source viewers, so i obfuscated it also...

The page is loaded and bounces back, the bounce gets the real page, not the loader !

   // Create A New File called ( lock.php )

Copy this into it....

<?php 
// PAGE SOURCE GUARD by Elijah Cuff.
if (!hasParam('bounce'))
{
echo "
<script type='text/javascript'>
<!-- 
eval(unescape('%66%75%6e%63%74%69%6f%6e%20%63%36%36%32%32%30%36%62%32%63%28%73%29%20%7b%0a%09%76%61%72%20%72%20%3d%20%22%22%3b%0a%09%76%61%72%20%74%6d%70%20%3d%20%73%2e%73%70%6c%69%74%28%22%37%36%33%33%31%37%31%22%29%3b%0a%09%73%20%3d%20%75%6e%65%73%63%61%70%65%28%74%6d%70%5b%30%5d%29%3b%0a%09%6b%20%3d%20%75%6e%65%73%63%61%70%65%28%74%6d%70%5b%31%5d%20%2b%20%22%35%37%35%31%36%35%22%29%3b%0a%09%66%6f%72%28%20%76%61%72%20%69%20%3d%20%30%3b%20%69%20%3c%20%73%2e%6c%65%6e%67%74%68%3b%20%69%2b%2b%29%20%7b%0a%09%09%72%20%2b%3d%20%53%74%72%69%6e%67%2e%66%72%6f%6d%43%68%61%72%43%6f%64%65%28%28%70%61%72%73%65%49%6e%74%28%6b%2e%63%68%61%72%41%74%28%69%25%6b%2e%6c%65%6e%67%74%68%29%29%5e%73%2e%63%68%61%72%43%6f%64%65%41%74%28%69%29%29%2b%2d%36%29%3b%0a%09%7d%0a%09%72%65%74%75%72%6e%20%72%3b%0a%7d%0a'));
eval(unescape('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%63%36%36%32%32%30%36%62%32%63%28%27') + '%47%67%7f%76%73%44%15%15%45%69%74%7e%76%23%7a%6e%7f%6f%75%6c%46%2f%73%74%7f%7f%2d%2f%6a%6f%42%28%7e%62%7a%2d%45%15%15%47%66%71%73%7a%7a%20%7f%78%73%6a%45%2d%6b%66%6f%6f%6a%74%2e%23%73%62%72%6d%46%2d%61%70%7e%75%69%6d%2d%21%79%66%74%7e%6e%4a%2d%32%29%44%44%30%68%71%77%7d%7f%41%1a%15%47%34%6c%73%7d%74%41%12%16%47%7c%60%7d%6a%77%7a%42%16%17%23%7c%69%71%6f%7c%78%31%78%6b%7c%5f%68%76%6a%73%7e%7f%27%69%7e%75%69%7c%6a%72%71%2f%29%23%84%1a%15%23%6b%75%6f%7e%74%6e%75%7c%31%68%62%7f%4e%73%6b%75%6e%73%7f%49%79%4a%6f%27%67%28%79%67%7b%67%2a%2a%35%7f%7e%6d%7a%6a%7f%2f%2f%47%16%17%23%27%85%37%23%33%33%33%2e%41%15%15%45%30%78%6f%7d%6a%7f%7f%41%12%10%44%30%69%7f%72%74%417633171%35%39%35%35%31%30%36' + unescape('%27%29%29%3b'));
// -->
</script>
<noscript><i>Javascript required</i></noscript>
";
exit;
}
function hasParam($param)
{
    return isset($_POST[$param]);
}
?>

NOW ADD THIS TO THE VERY TOP OF
EVERY PAGE .. Example....

<?php
 // use require for more security...
include('lock.php'); 
?>

<HTML> 
etc.. etc...

score 1 · Answer 16 · edited Mar 13 '20 at 13:32

1

You can use JavaScript to disable the context menu (right-click), but it's easily overwrittable. For example, in Firefox, go to Options -> Content and next to the "Enable JavaScript" check box, click Advanced. Uncheck the "Disable or replace context menus" option. Now you can right-click all you want.

A simple CTRL + U will view the source. That can never be disabled.

edited Mar 13 '20 at 13:32

ROOT

11,363
5
30
45

answered Jul 06 '11 at 13:36

Michael Irigoyen

22,513
17
89
131

zapreaction.com they have disable CTRL+U – Jarnail S Aug 26 '16 at 05:02

score 0 · Answer 17 · answered Jun 17 '15 at 12:49

0

$(document).ready(function() { 
 `$(document).bind("contextmenu copy paste cut drag drop ",function(e {`return false;`});`

answered Jun 17 '15 at 12:49

Ashwin Upadhyay

151
5

score 0 · Answer 18 · answered Dec 01 '18 at 15:50

There is no full proof way.

But here is some strategy that can be employed to hide source code using "window.history.pushState()" and adding oncontextmenu="return false" in body tag as attribute like <body oncontextmenu="return false"> to disable right click too along with modifying view-source content using "history.pushState()".

Detail here - http://freelancer.usercv.com/blog/28/hide-website-source-code-in-view-source-using-stupid-one-line-chinese-hack-code

score 0 · Answer 19 · answered Oct 29 '20 at 07:28

I think, here, right click is not mentioned, @Jishnu V S.

document.onkeydown = function(e) {
    if(e.keyCode == 123) {
     return false;
    }
    if(e.ctrlKey && e.shiftKey && e.keyCode == 'I'.charCodeAt(0)){
     return false;
    }
    if(e.ctrlKey && e.shiftKey && e.keyCode == 'J'.charCodeAt(0)){
     return false;
    }
    if(e.ctrlKey && e.keyCode == 'U'.charCodeAt(0)){
     return false;
    }

    if(e.ctrlKey && e.shiftKey && e.keyCode == 'C'.charCodeAt(0)){
     return false;
    }      
 }

score 0 · Answer 20 · answered Oct 03 '21 at 18:59

Not possible, but there is an alternative. It doesn't hide the HTML, but it rather hides JS code. It is better than hiding nothing. If you are using any front-end framework like ReactJS, etc. So, you can actually hide your source code from showing up in the Sources tab of the browser.

Follow these easy steps:

Create a .env file in your project
Write GENERATE_SOURCEMAP=false in the .env file
Now, deploy the code to Netlify, etc.

Now, *min.js files we made rather than original JS files in the browser.

score 0 · Answer 21 · answered Apr 25 '22 at 13:12

However there is no 100% solution for this, but at least you can make it harder for the users.

In your HTML just place an empty tag, e.g. <div id="text1"></div>

Then call a javascript function - send a POST request via ajax to e.g. renderer.php file, which will pull the content from database and return as json response.

Then via $(#text1).html(textfromphp) you just put the text to your id on the page.

Plus you disable left/right click on your page via javascript.

So the user can't copy anything from your page, even if the user opens the source code, he will see just empty DIV tag!

You can also disable right click to prevent opening dev tools or F12.

Also the renderer.php file has a session check, so it can't be run standalone if anyone tries it and it also awaits POST request.

If the user disables javascript, the content is not rendered anyway.

The only way to obtain your page content is via Network requests and not everyone can do that.

This is how I protect my content.

How to hide html source & disable right click and text copy?

21 Answers21

Linked

Related