0

Would it be possible to display different content if someone opened one of my .js or .css files in a browser? I configured Apache to execute PHP code in .js and .css files. How can I detect if the file was requested by a webpage or viewed directly by an user?

Edit: I know there's no way to hide my files 100%. I'm looking for the best way to discourage people from copying my code.

Leo Jiang
  • 24,497
  • 49
  • 154
  • 284
  • 4
    You can't. Best you can do is [obfuscate](http://stackoverflow.com/questions/194397/how-can-i-obfuscate-javascript) and [minify](http://en.wikipedia.org/wiki/Minification_(programming)) it. – Michael Petrotta Jan 01 '12 at 05:17
  • 3
    This is yet another case of "You can't give information to someone without giving them the information" – Ben Jan 01 '12 at 05:24

2 Answers2

7

Nothing on the web that works in a browser can be genuinely cloaked. The browser is just an agent requesting the file, same as any agent requesting the file for any use. A server knows no difference between a browser downloading a JS file as part of a web page and a user downloading the JS file to view it. To the server, they are just requests to download the file. The server doesn't know what's going to be done with it.

Even further, JS files and CSS files are usually kept in the disk cache (for performance reasons) where they can be retrieved independent of the server.

The only thing you can do is to obscure your code with minification and obfuscation. Minification makes sense because it also makes thing more efficient. I wouldn't personally recommend obfuscation because it doesn't really stop a determined viewer - it only slows them down slightly. If the browser can understand the JS file to run it, then so can a hacker.

In general, people seem to think that their javascript is somehow way more important a secret than it really is. If you do have some sort of secret algorithm that really needs to be protected, then your best bet is to keep the code for that on the server and use ajax calls to access it from your client javascript as needed.

jfriend00
  • 683,504
  • 96
  • 985
  • 979
  • 3
    I think your last paragraph really sums it up. If you don't want people to see it, don't send it to them. Keep your secrets on the server. – Brigand Jan 01 '12 at 05:44
  • 2
    +1. Further to your last paragraph I think some people have an over-inflated sense of how good their own code is, too, like there are thousands of people out there lining up to copy it. (I don't mean to imply the OP is such a person; I think this is a question all web developers ask at some point.) – nnnnnn Jan 01 '12 at 06:44
0

You can detect if the file is called directly by the user checking the HTTP Referrer header. But it will not prevent the user to check in Firebug or equivalent tools to see the source of your script.

sergiogarciadev
  • 2,061
  • 1
  • 21
  • 35
  • Or just set the referrer header as desired - something any determined hacker can do (though it's easier to get it from the disk cache) or capture it in a network traffic analyzer. There is no way to allow a browser access and not allow a human access. – jfriend00 Jan 01 '12 at 05:33