0

Let's say I've to include the following line with my website header:

<script type="text/javascript" language="javascript" src="file.js"></script>

Now anyone easily can visit my--web--site/file.js and view its source. So, I wonder if there any idea I can rename file.js to file.php and still able to call it and works fine, so that no one can view it by visiting my--web--site/file.php.

Any idea?

khr055
  • 28,690
  • 16
  • 36
  • 48
Reham Fahmy
  • 4,937
  • 15
  • 50
  • 71
  • Your JS files will be in user's PC so forget about being DRM-like and better go and prepare some good server-side validations on the data inputs. You can obfuscate your JS if you want to keep your knowlkedge to yourself. – Alfabravo Feb 14 '12 at 19:31
  • You need to understand the difference between **client-side** code and **server-side** code. – SLaks Feb 14 '12 at 19:31
  • The file would have some personal informations that i'm calling it using ajax ! – Reham Fahmy Feb 14 '12 at 19:32
  • There's really no point in doing this. Practically anyone who feels compelled to analyze your source will surely be able to circumvent any *please-dont-find-me* methods. Basic rule of thumb: if the browser can access it, so can the user. – webbiedave Feb 14 '12 at 19:32
  • Not in the file, sir! The data you get thru AJAX will ALSO be in client's side (in browser's memory, actually) but it will evaporate as you move on to another page (and don't save it in user's session). Must check those concepts. If the matter is that important, better be sure the ajax request is tied to a valid session... – Alfabravo Feb 14 '12 at 19:33
  • @JackBen If the JS file contains "personal information", you need to read up on *authentication*. Your site should already know who you're talking to, if it's serving up person-specific data. – user229044 Feb 14 '12 at 19:38

5 Answers5

5

About the only thing you could do is to make it difficult to read and understand your JavaScript code.

Check out this post on the YUI blog about Minification and Obfuscation. Minification will have the added benfit of making your script smaller and thus load faster.

Take special note of what the article has to say in its closing paragraph:

Then finally, there is that question of code privacy. This is a lost cause. There is no transformation that will keep a determined hacker from understanding your program. This turns out to be true for all programs in all languages, it is just more obviously true with JavaScript because it is delivered in source form. The privacy benefit provided by obfuscation is an illusion. If you don’t want people to see your programs, unplug your server.

Sam Sehnert
  • 2,933
  • 1
  • 20
  • 25
3

No, you cannot do this. If a person's browser is able to read your JS file, that person must also be able to read your JS file. That is how the Internet works. This is good and desirable behaviour, and you shouldn't try to keep people from reading the CSS/JS/HTML that composes your website. It is completely self-defeating and serves no purpose. Nobody is interested in stealing your JS code.

user229044
  • 232,980
  • 40
  • 330
  • 338
3

Javascript is distributed as source - if your users can't view it, they can't run it - so no, not really.

What you can do, if you are paranoid, is obfuscate and minify (google "minify javascript") the source before deploying.

This is far from bulletproof though (chrome for instance, has a very nice pretty printer in its debugging tools).

jka6510
  • 826
  • 5
  • 8
2

If you don't want people seeing the contents of your web page (including your JS), don't put it on the internet!

Anyone with a debugger on the client can grab your script no matter how you serve it up to the client.

Diodeus - James MacFarlane
  • 112,730
  • 33
  • 157
  • 176
2

No. The JavaScript file is downloaded and executed on the web browser. This means that the user needs to be able to download it.

You can obfuscate it using some kind of obfuscator that makes it a lot harder for people to read, yet keep it functional by the client.

Community
  • 1
  • 1
CanSpice
  • 34,814
  • 10
  • 72
  • 86