Unable to execute JavaScripts files protected through .htaccess - javascript

Being new to .htaccess concept, I have a basic question.
I tried to protect a directory which hosts my stored procedure files... this is because I need not anyone else accessing the code of the file. My issue is the following:
When I try to access a file of the directory through javascript as part of my coding, the same pop up comes up requiring username and password. How can this be resolved?
Please advise if the route I am taking is wrong.
My intention is that the code should have access to stored procedure files, but none should have access to the actual file content. This can be applicable for css files or javascript files as well.

You can't differentiate between a client asking for a resource because your code asked it to and the same client asking for a resource for some other reason.
Even if you could, then the resource would still be available to the owner of the client, without making another request for it, through (for example) the developer tools built into most browsers.

If the files you're talking about are all Javascript then protecting them like that isn't really feasible. They are client-side scripts, meaning they need to be downloaded by the user's browser. Unfortunately, you can't reliably tell the difference between a browser downloading them as part of an HTML page, and a user downloading them directly to steal them.
The best you can do is obfuscate the files to make them difficult to understand. That will never prevent a determined code thief though.

Related

Javascript URI/Origin Override

I have a very specific challenge where a self contained website and assets are stored in a location that is not a web server and cannot be a web server.
I need to be able to provide staff a stand alone index.html file that they can run from their local computer which will reference the online location as a sort of external storage repository.
The website has a lot of assets and javascript... in many cases the javascript calls to assets using local paths such as images/image_file.png
Without manually updating all the asset paths within the website code, modifying hosts file... using iframe... is there a way with javascript alone to add prefix to all paths that come after in the document?
Almost like defining or setting origin which I don't believe is possible.
I had thought to read the code in with a parser and try and regex replace but was hoping for a simpler solution.
Thanks in advance for your consideration.

Need ideas for using axios when running html file locally (e.g. file:// path in browser)

The goal is to have a .html file that can be opened directly (e.g. run as file://path-to-file.../file.html in Chrome browser).
Their is a /user-json folder, where users can drop in their own .json files and the .html file loads up the json data.
I am currently using axios to a) find all files in that /user-json directory, and then b) load them in for use in the javascript.
The issue is that CORS/Browsers blocks these axios requests due to security policies.
A work around is to use --allow-file-access-from-files, but I want to provide an easy way for anyone to just drop-in their own "user-json" data into that /user-json folder, and have the .html detect and load it up, without needing to play around with their chrome browser settings or even running a web server.
Any ideas for getting this to work or alternative methods? Please don't suggest running the files on a server as I'm away of that option - I'm looking for a way users can provide their own files that the locally opened .html file can detect and load in.
There are many ways you can go about this. It's mostly a matter of picking your favourite abstraction.
Easiest would be to leverage a service like CORS Anywhere. Though of course that isn't the most robust solution, and if you're concerned with the aesthetics of your code, it likely won't appeal (note: there is an NPM package).
Alternatively, if you want to host your own solution, you can spin up a free instance, like a Cloudflare Worker; they even have an example of how to accomplish what you're after here.
Passing your requests through nginx is also possible, and arguably much more succinct and performant.
Any way you go about it, you'll have to route your requests through some kind of proxy, because a stock Chrome browser is not gonna cut it.
Bon voyage.

How to restrict download of js files in a website?

I developed a website using html and javascript. All my logic lies in javascript files. So I want to secure my javascript files being download when the user directly enters the url. Is it possible to restrict?
A javascript file is always downloaded by the client because the client has to be able to execute the code inside. The best thing you can do is obfuscate the javascript code.
Sadly there isn't a definite way to stop people downloading the JS files, CSS files or image files from your website as these are executed within the browser, the best you can do is to try and minify or obfuscate the files in such a way that they become near impossible to read and therefore use or copy.
A great example of obfuscating would be this: http://javascriptobfuscator.com/
A great example of minifying would be this: http://jscompress.com/
Trying using both for to make sure that there is little to no chance of the code being readable to nosey people.
If you restrict it from being downloaded, it is pretty hard for it to be downloaded by the browser to use it. :)
You can look into packing it:
http://dean.edwards.name/packer/
It will not make it secure, but will make people look the other way if they are too lazy to undo it.
A javascript file is always can downloaded by the client .reason the client has to be able to execute the code insidein web
u can try using .htaccess like:
<Files ~ "(.js|.css)">
Order allow,deny
Deny from all
</Files>
How to restrict/forbid access to specific file types such as .js .css inside a .htaccess file?

Prevent Unauthorized access to JavaScript files

Is there any way to prevent unauthorized access to JavaScript files.
<script src="JS/MyScript.js" type="text/javascript">
Users should not be able to view the MyScript.js file.
I would like to know ,is it possible to do that ? If possible please give me an idea. :)
Thank you..
It's not possible.
The file must be fully accessible for it to work in your pages. The server has no way to determine if the request was from a script tag, by directly typing it into the browser window, etc.
You can minify your file to make it less human-readable. You can also obfuscate it, although that will have a performance impact on your website. However these are reversible, and anyone who really wants to reverse engineer your code still can.
As with everything though, you should be prepared for anyone to see anything you put online.
If the JS file is getting loaded on the client its possible to read it.
If you got stuff in the JS file that the user is not supposed to have access to, I would recommend another approach to the problem.
If you don't want it to load at all on the client if its not authorized, you could use some serverside script to prevent it from load.

min.js to clear source

As far i know until now, the min version of a .js(javascript) file is obtaining by removing the unncessary blank spaces and comments, in order to reduce the file size.
My questions are:
How can I convert a min.js file into a clear, easy readable .js file
Besides, size(&and speed) are there any other advtages of the min.js file.
the js files can be encripted?
can js be infected. I think the answer is yes, so the question is how to protect the .js files from infections?
Only the first question is most important and I'm looking for help on it.
TY
To convert a minified file into a editable source, simply open any IDE that supports auto-formatting and auto-format it. I use Netbeans to do this.
If you do client side caching for the minified file, it means to say that the client (computer) needs to process less bytes. Size and speed are the main advantages of a minified file, and they are already great advantages to prepare for a future that requires great load of data transfer. By the way, it also saves you some bandwidth on your server and therefore money.
I don't see the need of encryption. See How to disable or encrypt "View Source" for my site
Javascript files cannot be edited unless it is done so on the server. The security of your Javascript files depends on your 1) server protection 2) data protection. Data should not be able to exploit. But of course, Javascript is executed on the client side, it will be meaningless for the client user to attack him/herself. However Twitter has shown multiple Javascript exploits. You need to constantly test and check your codes against XSS, CSRF and other attacks. This means to say that if your Javascript file has a loophole, it was the developer, you, who created it.
Multiple minifiers exists, that also are able to compress JS, see http://dean.edwards.name/weblog/2007/04/packer3 for one of the most being used. Some others exists, also see the JSMin library http://www.crockford.com/javascript/jsmin.html
The main advantage is the size gain. You should also aggregate your JS files when you have multiple JS files, this also saves a lot of I/O (less HTTP requests) between the server and the client. This is probably more important than minifying.
I can't answer you about encryption. Client security will mainly depend on its browser.
EDIT: Ok my first answer is not for the first question, merged both in 2.

Categories