In my angular application if I go to dev tools network tab I will be able to see the response and request coming from the back end.
Do anyone know how to hide or mask this data, is this possible if I do the server-side rendering?
Requests will be shown.
This cannot be stopped, the application is making requests and this will be logged to the network tab by the browser, as mentioned in the comments, if there are security concenrns you should be handling this a different way. Do not send data to the client that they should not be allowed access to in the first place.
To try and ensure security run over HTTPS on the off chance to data gets intercepted, that way it will not be usable data. Most data, as mentioned in the comments, will be provided by the user. Meaning in should not need to be hidden within the network tab.
Worst case scenario, someone physically sits at their computer and reads what is in the network tab, but this is a scenario that cant be accounted for when developing applications. You could base64 encode data that is being sent to and from so it is less readable to anyone who should see the network tab. Here are some resources to have a look through related to the question.
HTTPS summerised // base64 encode // Angular's security section
Related
In Chrome, you can go to developer tools > network tab to see all the requests the website is making.
What would be a good way to get the list of these requests programmatically? I guess I can grab the content of the site, grab all the URLs that are in the page and parse them, but that seems a bit tedious, especially if the requests are being made from a JS file.
Is there an easier way?
On the server side, there's the access log that will have request information for all requests made against it. It might take some configuration to save all the fields you want to use (method, POST data, cookies, time, remote client address) but this is more efficient than trying to do things from a browser. Each web server has a different way of configuring its log files.
$http.get('/someUrl').
success(function(data, status, headers, config) {
// this callback will be called asynchronously
// when the response is available
}).
In the above code, I want to hide the header information. Using the browser inspect method we can view the header information.
It's not possible to hide requests.
A couple of more additions (Not sure why this was downvoted, but I'll attempt to be more clear).
Javascript is client-side, which means it get's run from the client's machine. The end user will be able to inspect the code, and be able to see what it's attempting to do. Even if the code is obfuscated, it can still be converted or read and they will be able to see how it's making the request (Thus being able to interpolate what request headers would be sent.)
What if the client is using a custom browser? For example, one they wrote himself? You make a request to your server, and it's going to respond with your javascript/HTML. Then, their javascript parser is going to attempt to make the request, which they can then capture the request that is attempting to be made.
In chrome, web requests are logged for ease of use to the end developer. This is not something that can be disabled or turned off, because as I stated in my previous paragraph would only make it appear as if it's hidden, and wouldn't be effective at stopping someone who knows anything about the HTTP protocol.
And finally, even if this were possible, someone could monitor the traffic between the client and the server, and inspect network traffic to see what was sent and received (HTTP is a fully documented RFC protocol for interchanging web requests, and is essentially a giant string of headers and easily view-able.) In short, it's not possible.
Javascript is client-side, which means it get's run from the client's machine. The end user will be able to inspect the code, and be able to see what it's attempting to do. Even if the code is obfuscated, it can still be converted or read and they will be able to see how it's making the request
I can't believe that I'm asking this right now, but I have no idea how solve the following problem:
I have a web app that logs every visited page in a browser for better browser history search. The extension is a chrome extension that needs to make a POST request to my API. Obviously, I need to avoid CSRF issues, i.e. other sites using the user's session to post arbitrary data to his browser history. However, since the extension runs in a different origin as a content-script, I cannot retrieve CSRF tokens, hence I cannot make authenticated POST requests.
EDIT:
So I now know that I can use chrome.storage (and equivalents in other browsers) to store a token that only my content_script can read. However, I still haven't solved the issue of how getting that token into chrome.storage in the first place
I seem to miss something really obvious ...
I suspect a content script isn't necessary, and you should just be using the chrome.webNavigation API from your event page to get the user's browsing activity.
You'll still need the user to log into your service somewhere in the browser. If you take your service's origin as a host permission, your extension will be able to make XHRs as the user, which may be enough to solve your XSRF problem, at least as long as nobody else can intercept the user's login cookies.
FYI, I realized that chrome.storage provides a means to sync/pass confidential data like your token that is only accessible to your scripts.
Hence, the solution is to visit a webpage of yours, and have a content script extract the token and store it in chrome.storage.
Note - It is not a duplicate of that question. The concerns are different. I don't want to disable that firebug let it be open let the user to use all functionality provided by firebug, I only want firebug not to show service calls.
I may be wrong but I want to ask when browser developer tools like firebug displays service calls and their request response Is it not a security threat? If not why so?
IF it is, Is there any way by which we can hide the display of service calls after build deployment in firebug or developer tools?
You can see a get request shown by firebug in Mozilla firefox.
I have searched for this but not getting anything fruitful and I am also not able to find any post related to this concern on stackoverflow. If any one has any information please share it.
No, this is not a security issue on any properly designed web site / service. The browser, and requests performed by the browser, should all be considered to be under the user's control. (Indeed, from a security perspective, the browser should be considered an extension of the user, rather than something separate from them.) As such, the user viewing something that's under the user's control is not a risk at all.
If your web site is sending data that the user shouldn't be allowed to see in HTTP(S) requests, you've done something wrong. That data should never leave the server at all if it's that sensitive - move the logic that needs it off of the client (e.g, Javascript) and back onto the server side.
If your web application follows security through obscurity then it would be harmful.
But as long as you make your web application secure with common vulnerabilities like CSRF, XSS taken care of then anyone seeing the request made / response received doesn't matter.
I apologize that there is a similar question already but I'd like to ask it more broadly.
Is there any way at all to determine on the client side of a web application if requesting a resource will return a 401 status code and cause the browser to display an ugly authentication dialog?
Or, is there any way at all to load an mp3 audio resource in flash which fails invisibly in the case of a 401 status code rather than letting the browser show an ugly dialog?
The Adobe Air run-time will suppress the authentication if I set the "authenticate" property of the URLRequest object but this property is not in the Flash run-time. Any solution which works on the client will do. An XMLHttpRequest is not likely to work as the resources in questions will be at different domains.
It is important to fail invisibly because the application will have a list of many audio resources to try and it makes no sense to bother the user to try and authenticate for one when there are many others available. It is important that the solution work on the client because the mp3's in question come from various servers outside my control.
I'm having the same problem with the twitter api - any protected user requires the client to authenticate.
The only solution that I could come up with was to load the pages serverside and return a list of the urls with their http response code.
"Is there any way at all to determine on the client side of a web application if requesting a resource will return a 401 status code and cause the browser to display an ugly authentication dialog?"
No, not in general. The 401 response is the only standard way for the server to indicate that authentication is necessary.
Just wrap your access to the resource that might potentially require authentication to an Ajax call. You can catch the response code, and use javascript to do whatever you want (ie. play that sound). If the response code is however alright, then use javascript to forward user to the resource.
Most likely this approach will generate slightly more load on server (you might have to resort to loading the same resource several times in some circumstances), but it should work. Any good tutorial about how to use XMLHttpRequest should contain all you need. Take a look at for instance http://www.xul.fr/en-xml-ajax.html
If you are using URLRequest to get the files, then you are running across more than just elegant error handling, you are running into a fundamental difference in the Flash and AIR run-times.
If using the URLRequest object to retrieve files you are going to get a security error from Flash on every request to every server that has not set a policy file to allow these sort of requests. AIR allows these requests since it basically IS the client. This makes sense since it's the difference between installing an application and visiting a web page.
I hate to provide the non-answer, but if you can't make a server-side call, and you are hitting a range of "not-known" servers, it's going to be a tough road to hoe.
But maybe I misunderstand, are you just trying to Link to the files and prevent the user from getting bad links, or are you trying to actually load the files?