Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I've been developing my first AngularJS application for while, and I just realized that anyone could simply get/copy all the information from my JSON files at once. Therefore I ask:
Is is safe to use AngularJS - i.e. should I be worried about
people copying all the content of my app at once and then simply pasting
somewhere else?
Is there a way I can make it unreadable for people to read the JSON file? I do know that there are some tools and websites that could make Javascript scripts unreadable, but as I pass it to the view it makes the json unreadable by the browser.
There's a website called Udemy, that uses Angular in part of it. I have tried by all means to see the classes titlebut still I can't find/read the Json file that contains the content. How is such thing possible?
Many thanks.
You should never send to the user any data that they are not allowed read, independent from the fact whether the data is actually displayed on their screen. I assume that your data comes from a server (which possibly reads it from a DB); even with Angular.js you need to make sure that your server will only send the data that particular user is authorized to see.
So the answers to your questions are actually not related to Angular at all, but to the server-side technology you use to feed the data to the angular client running in the user's browser.
No, since AngularJS is client-side, anything you send it is available to the client. Therefore:
1) Depends on what you mean by safe. But yes, people can "read" all the content of your app that isn't in the backend.
2) No, not if you're using them in your javascript code.
There is no safe way to give someone both content and key but prevent them from read them.
And that is what DRM does, actually what you are looking for.
Actully, any content is not considered 'safe' after you sent both content and key to client.
If they have key and content, they of course can find some way to decrypt and read them.
First off, yes, it's safe to use AngularJs. Angular and any client-side utility should only be concerned with processing the "view logic" of the data it's receiving. That data is the result of the server-side "business logic" which is completely oblivious to the workings of Angular.
I believe you can still answer your security concerns by requiring authentication for your data. Require users to login and allow them to access data via an authentication cookie or similar model. You can get this out of the box (or at the very least learn the process) by using MEANJS (meanjs.org).
All JSON data supplied to your site should be the data you want to be seen. If you're concerned that people can simply use your JSON URLs to aggregate your data on their own servers (assuming they pass the authentication process) then I'm sorry to say there are plenty of tools and savvy developers who can cherry pick that data off any site regardless of whether it's delivered via JSON, HTML, XML, etc.
In order to reliably hide data between client and server you'll need to build your own web application (think app) that uses one or more encryption methods on both ends. Even if you try to build your own client-side encryption/decryption/two-way-handshake for a standard web browser, you'll inevitably expose the business logic nested in the Javascript and defeat the purpose entirely.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 months ago.
Improve this question
just discovered one bug in a "n" online shop. The bug is the possibility to change html code (thanks to inspect element) and make an early unavailable pickup point available. As consequence, I was able to order some stuff, pay, and even get confirmation of my order. My question is, how an owner can prevent something like this?
P.s. During ordering, I was only on the one web page, there was no redirecting to another page or refreshing the current, until payment.
P.s.s. just want to mention, that I'm a total newbie in these "magic" things. So probably you can recommend me books/webpages etc. where I can read more about "server responses".
As you found out, editing the HTML code of a site and/or modifying the data sent to or from your browser is indeed not too difficult. That's part of how a browser is designed and intended to work, so you'll have to deal with this kind of "hacking" on the server side.
Here's a very superficial (and not complete) list of things to keep in mind when setting up your server and backend application:
Every request from outside ("the client") is potentially malicious or tampered with. → Make sure you use server-side validation for "everything". This may refer to:
Input fields (length, value, format, ...)
Data formats (e. g. correct JSON/XML structure)
User authentication and authorization
Your business rules (this is, as I think, the one decisive in your example - probably everything else was valid, but the server side did not check for the availability of that pickup point you injected)
Thus, do never rely on client-side validation (typically JavaScript / TypeScript) only! You can use this for a better user experience, but the real "hard" validation must take place on the server side.
Depending on the criticality of your site and the confidence of the data associated, think about adding more security by using a Web Application Firewall (WAF), rate limiting, log crawling and other techniques to identify and block suspicious traffic.
Keep your server software (the operating system with all its libraries etc., the application server (like Apache / Nginx / WildFly / ...) and the software your site comprises of (like a Spring / PHP / Angular / ... application)) up to date. There are means and methods like Dependabot helping you to automatize this process. Outdated software and libraries might have some known bugs an attacker can exploit.
Try to use standard software, frameworks and mechanisms wherever possible. Modern Web Frameworks like Spring Boot, Laravel, ... are well-maintained and security issues are found and fixed early. Also, the have validation and fraud detection methods built-in already, you'll just have to make use of them. On the other hand, if you try to code your own authorization framework (for example), you'll most likely overlook something and leave a security gap.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 2 years ago.
Improve this question
I am a new programmer and I saw that Google is written in python. I know that HTML, CSS, and JS are used to make websites, so how is python "linked" to this. This is probably a very basic question but I am new to all this.
So your code in browser is called front-end (FE). Sometimes it's all you need. However, sometimes you need to store some data on the server and/or retrieve it from there. That is where back-end (BE) comes into play.
BE is basically an app on some computer (maybe a server, maybe a Raspberry Pi, anything really) that listens to requests from the network. Let's say your code needs some data from the server. Your code on the front end makes an AJAX request to the network address of this server on some specific port. The BE, which may be written in Python, or any other language, receives the request and does something with it.
It can fetch data from the DB or anything really. Then it send a response to your FE back, sending some data, or confirmation that everything was done successfully, or an error if something went wrong.
Python is used for backend development. Backend is the part of your website that runs on your server, not browser. Backend is used for authentication and communicating with database and many more. There are some popular frameworks in python like django and flask.
Google in front of you is called front end which is written in HTML, CSS, and JS and usually interpreted by browsers. In the end, HTML, CSS, and JS are all codes, thus, string (or binary).
Python is used to generate those strings, the codes, in back end.
According to the Mozilla Developer Network (MDN),
HTML — Structuring the web
HTML is the language that we use to structure the different parts of our content and define what their meaning or purpose is. This topic teaches HTML in detail.
CSS — Styling the web
CSS is the language that we can use to style and layout our web content, as well as adding behavior like animation. This topic provides comprehensive coverage of CSS.
JavaScript — Dynamic client-side scripting
JavaScript is the scripting language used to add dynamic functionality to web pages. This topic teaches all the essentials needed to become comfortable with writing and understanding JavaScript.
Below is where you will find how Python is linked to HTML, CSS, and JS.
Server-side website programming
Even if you are concentrating on client-side web development, it is still useful to know how servers and server-side code features work. This topic provides a general introduction to how the server-side works and detailed tutorials showing how to build up a server-side app using two popular frameworks: Django (Python) and Express (Node.js).
(Ref.: https://developer.mozilla.org/en-US/docs/Learn)
Below, you can read more about
what clients and servers are,
how they are linked, and
how and what the clients request to the servers and the servers respond to the clients
Some of the useful keywords are HTTP verbs (HTTP request methods), Uniform Resource Identifier (URI), and HTTP status code.
An article about Back-End Web Architecture from Codecademy
Note: As someone who just started programming, it could be really overwhelming to look for satisfying/precise answers across the web. You could also start from some reliable learning sources and search for the keywords to get a specific result. Happy learning!
The old way to to do this is with cgi-bin, which is an interface between the web-server and a program installed on the same machine.
When a user requests a static page, the web-server returns the contents a file, with some headers prefixed. cgi-bin allows for dynamic pages. Here the web-server runs a local program, passing it the URL and any headers from the client (web-browser). The program then generates the headers and body of the reply, and the web-server passes them back to the client. The program then exits.
The program can be written in any language. Perl was traditional, however Python or a compiled program is frequently used nowadays.
It was common to have cgi-bin at the start of URL to denote this to the server, but it isn't really needed - the server can be told that any specific (or all) URLs are to be fetched via cgi-bin.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
when i use asp.net to coding for website. Asp.net in server call sql server (ado.net, linq or entities framework) and get back data, send for clientside. i use some control as girdview to show data. actually, i do web optimization ( sql server - store procedure, create index, partition => faster, acceleration for get data. Website: UI simple, do not use too many effects)
but why in client-side, when server return data for client, many people always are going to use script (such as javascript, jquery, node js, angular js, bootstrap, react, google o/i....) to show in webpage.
so, it slower or faster when we use girdview?
And when User (people in clientsite) stop scrip in browser, it's mean, Manufacturers allow user or offer to stop script on browser in clientside., so why do we user them ( *.js), when User can stop script?
Even many people use asp.net (new version - 2013) in server, they also use script in there. so asp.net + script in server is faster or slow when we only use asp.net?
please, help me answer.
(I'm apologize because my English is not good.)
Thank you so much.
In the early years of Web development, Javascript on the client side provided for considerable enhancement of the client's "user experience" that static HTML delivered from the server did not. This includes such things as the enabling or disabling of certain interface features based on user input, the appearance or hiding of certain regions of a display based on user input, or combination of other pieces of data.
As web development evolved, the need for even more robust client-side interaction with back-end web servers became evident, and the "frameworks" you mentioned all work in various ways to improve the design, responsiveness, and behavior of a web-based application in ways beyond just enabling or disabling a button. This amounts to complex data binding, callbacks to web services, reducing server round-trips, and creating rich client interfaces, to name only a few.
They're all tools, each with their own role, each working to make web applications a bit more robust than those of the generation before them.
If I understand your question right, the answer comes down to speed and preference.
Firstly, if you disable client-side javascript, your asp.net controls aren't going to really work anyway. You'll find few places that still disable this so it's not really a concern people have anymore.
Secondly, it comes down to where you want to focus development effort and what kind of developers you have. If you have a lot of people used to working backend (C#) and want to stay there, then using asp.net controls and the like make development easier.
If you have javascript developers or people who want to use it, then you have more options that allow you to more decouple your server-side code from your front-end code. This can work out well for maintenance purposes.
The real point is that if you can utilize ajax (http://www.w3schools.com/ajax/default.asp) within your web application, you can make it a lot more responsive. ASP.NET Controls can often cause your page to refresh and cause unnecessary server-side computing to get the data and re-render the entire page (or partial page with asp.net mvc). Using new technologies like angular and others you listed, you can focus data computation and network traffic only on what's important.
For example, if you need a table to change what data is loaded, you can make an ajax request JUST for the data you need to load and then just render that portion on the client.
First of all, every "script" you mentioned (jQuery, AngularJS, Bootstrap, React) is a library written in JavaScript. Except node, which isn't even front-end. And I'm not sure what did you mean by google o/i... JavaScript is currently the only language which works in all browsers.
Initial purpose of JavaScript was to check form values before sending data to servers. It quickly evolved past that, although the usage was throttled by browser adoption, which is still a problem today.
Nowadays we can use JavaScript to render whole webpages. First when opening the page, it can help with rendering, meaning that server doesn't have to do all the work, but can just send plain data, usually in JSON. It's also used to add content to page later, without reloading the page (AJAX). Most well-known examples are real-time chat systems, like the one on facebook. This greatly improves user experience, I can't imagine how terrible it would be if whole page would reload to display a single new message.
Although user can disable JavaScript in their browsers and this would mean the page probably won't work, except if there is fallback design for such cases, I do not know why would someone disable it. And to be honest, probably most of the regular users don't even know this can be done and where is the setting to disable JavaScript.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I use the www.Spruz.com network for my website. I am not looking to use PHP or SSL blocking methods being that I can't as is. I can't seem to find JavaScript or jQuery code to possibly hide a DIV element or redirect without having to use PHP or SSL methods. I am getting hit with foreign spammers/advertisers that are hitting up my messengers and whatnot. I need to block a few IPs but I am lost. How might I achieve my goal?
I suggest you use server side scripting for this. I think you are misunderstanding what javascript actually does. Javascript is a client-side scripting language which means it runs on the client machine. So although you can hide the div, simply changing the css properties will reveal everything (a regular user wouldn't do that, you can't say anything about a malicious user).
Ideally you'd get access to your PHP or whatever server side language so you could run IP blocks from there. If you can't, you can try the solution here to get the IP via JavaScript:
How to get client's IP address using javascript only?
But the best solution is probably to rebuild whatever form is being abused with either reCAPTCHA or some other spam blocking script.
Well before trying to figure this out, just for grins I fed "spruz web blocking" into Google. The very first hit was http://my.spruz.com/forums/?page=post&id=9B8BE09C-1D18-4C9D-8510-C1D3035BDA44&lastp=1 ...looks like it explains in detail exactly how to do what you want on the server side. I haven't actually tested it or investigated in detail that they implemented it what I would consider correctly, but it seems worth a shot.
As others have expressed, client-side blocking won't do more than slightly annoy serious spammers. The logic is to a) send them the requested pages then b) have the pages recognize they're inside a hostile environment and self-destruct. Once the spammers already have the pages (a), they can take a quick snapshot before the pages self-destruct (b), and do whatever they wish. (In fact they'd likely use something like 'wget' to fetch the raw page and skip page execution and display altogether no matter what you do.) Correctly-coded server-side solutions, on the other hand, never send the pages to that IP address in the first place, so the only thing they can do is try to fool you by pretending to be somebody else.
(There's a pretty standard way to do this sort of thing pretty easily with an 'apache' web server, but I see that's not relevant on spruz.)
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 2 years ago.
Improve this question
I'm looking for a javascript library that will let me store data in a client side database and in the back ground automatically sync the database back to the server's database
preferable something that supports a variaty of engines in the same way jStore for jQuery does
Looking around I can find anything
Just stumbled across this question; for posterity, CouchDB and CouchBase are designed for this:
http://couchdb.apache.org/
The JavaScript client:
https://pouchdb.com/
And CouchBase:
https://www.couchbase.com/
Finally, CouchBase Lite/Mobile:
https://www.couchbase.com/products/lite
The latter gets you native CouchDB/CouchBase synchronization.
In all cases you just access the local database and it can synchronize if and when you connect to the internet.
Store.js deal with the client-side storage very well. Note that it supports IE6+ along with other browsers. For the server-side storage you might as well make your own script for that as it should not be difficult.
Since this question was asked, there's been a lot of work done on local storage and client side databases.
There's a great overview of local storage options at Dive Into HTML5.
There are also several cross-platform JavaScript storage libraries available, including Lawnchair and persistence.js.
Iam not 100% sure, but i think there isnt such a framework. I would recommend to have a look on Google Gears.
Google Gears supports offline storage on client side.
Another approach would be to check out the sourcecode of TidlyWiki. They have created an wiki system wich stores all data on client side.
I'm not aware of any library that does that nowadays. Even tough this is a possible idea, I must say that I'm not sure if making such library is a good effort.
It would have to provide examples of how to expose your server data to the library, how to calculate deltas, and so on. This would force the developer to change this server side code accordingly to the library's protocol.
This could be great for new apps and websites, but this could be a pain to any existing site, with particular data structure, making the effort to implement this not so much preferable to developing your own Javascript to do that with current data already exposed by the app.
All of these on top of potential security problems would be kinda hard to manage in one generic javascript library.
IMHO this is a great idea to make bundles or plugins to specific ORM based MVC frameworks, for example Ruby on Rails or Django. Since the framework itself has an abstraction to the data structure and many security fixes already bundled together, making a bundle to do that would be much more re-usable and more elegant.
I've been doing some work on this. It seems to be almost possible using Google Documents. Most of the APIs are accessible via Javascript. Unfortunately the exceptions include things like upload and download, so while it's possible to enumerate documents, create files, change metadata etc all from inside the browser, actually getting at the data is a lot harder.
Google Spreadsheets do have Javascript APIs for accessing individual cells, so it's theoretically possible to store your data in a spreadsheet. Unfortunately there's another whole in the API where it seems to be rather hard to write data to a cell that previously did not have data in it, which means that once you've created your empty spreadsheet, you can't populate it...
As far as I know Safari, Chrome, and Opera all based on SQLite.
SQLite has a .dump command which is not only great to restore a database but to sync with another database.
Therefore, it may be possible to call this from the Javascript Database using .dump, and if necessary, modify the dump and upload it to the server database to execute.
However, you will want to be careful of SQL injection attempts.
Did you try jsonengine?
Not sure how much this project is alive but this answers all yor requirments.
Firebase does this, although it is not a relational model