Let's say I have a JavaScript file... using .htaccess is there a way I can make it so a user can NOT look inside the JavaScript file?
RewriteEngine on
RewriteCond %{HTTP_REFERER} !http://your-domain\.com/.* [NC]
RewriteRule ^.*js$ - [F]
This will return 403 code (forbidden) when referer is outside your domain for all JavaScript files.
NOTE: But this solution will only make access to the file harder. If someone will want to see the file, he will do that eventually. Because you can't fully block the js files, if the browser can read it, the user also will. Example: you only can open dev tools and you will see the source. Or if someone will figure out that the block is by referrer he can create link to file or use other way to add the header to the request.
No. You can obfuscate it or hide the javascript inside another container (like inline in your page), but not prevent them looking at it.
If you block it with your htaccess file, then the browser will not be able to download it and use it, which makes it pointless having the javascript file. Once downloaded by the browser it sits in the cache on the local machine, so a determined/knowledgeable person can find it and inspect it. If you obfuscate it you will make it very hard for the user to comprehend it, so maybe that is the best option.
The only way to make your javascript more-or-less "difficult" to read is by compressing and obfuscating it.
Here are some solutions:
YUI Compressor
Online Javascript Compressor
You can use http://dean.edwards.name/packer/ Check the Base62 encode and Shrink variables boxes to make the JS code hard to read.
Then you have Yahoo compressor: http://developer.yahoo.com/yui/compressor/
And the Google compressor: http://code.google.com/closure/compiler/
The first one is on-line, the 2 last ones need some installation on your machine.
But... as the browser needs to understand the javascript it receives, a patient and decided person will be able to reverse engineer it. But the compressors above will discourage many of them.
This is really a pointless exercise. If somebody can run your Javascript on your site, he can run it anywhere else he likes and make any changes he wants. This has not proven to be a very big problem in the history of the Web, so I wouldn't waste much time on it.
If it's really that big of a worry that somebody will "steal" your Javascript, copyright is your best weapon. If some algorithm is secret, do the processing on the server and just provide the result.
You Can't Really Protect Your Javascript Files
Using Developer Tools on Google Chrome:
Click on Resources > Your Site > Scripts > filename.js
And it will appear right there Crystal Clear.
Related
I developed a website using html and javascript. All my logic lies in javascript files. So I want to secure my javascript files being download when the user directly enters the url. Is it possible to restrict?
A javascript file is always downloaded by the client because the client has to be able to execute the code inside. The best thing you can do is obfuscate the javascript code.
Sadly there isn't a definite way to stop people downloading the JS files, CSS files or image files from your website as these are executed within the browser, the best you can do is to try and minify or obfuscate the files in such a way that they become near impossible to read and therefore use or copy.
A great example of obfuscating would be this: http://javascriptobfuscator.com/
A great example of minifying would be this: http://jscompress.com/
Trying using both for to make sure that there is little to no chance of the code being readable to nosey people.
If you restrict it from being downloaded, it is pretty hard for it to be downloaded by the browser to use it. :)
You can look into packing it:
http://dean.edwards.name/packer/
It will not make it secure, but will make people look the other way if they are too lazy to undo it.
A javascript file is always can downloaded by the client .reason the client has to be able to execute the code insidein web
u can try using .htaccess like:
<Files ~ "(.js|.css)">
Order allow,deny
Deny from all
</Files>
How to restrict/forbid access to specific file types such as .js .css inside a .htaccess file?
I designed one website but I don't want to give access to end user to download my css and js files.
because If I designed one website so anybody can stolen my design by downloading my css and js files.
So is there any mechanism for secure our css and js files?
There is not really any way to secure your CSS and JS from being downloaded as the users browser needs to download these files.
One technique which is normally used to reduce CSS and JS file sizes is minification. Although it does not secure the files as such, it makes JS far harder to understand when you choose to mangle the variable names.
Online JS minifier to try out
It is not possible. Browser need to read your css file and js file. If browser can read then user can read also. You can minify your codes only e.g http://refresh-sf.com/yui/ and also you can add copyright comment blocks.
For javascript I would suggest you to use Base62 encoding.
This will also reduce the size and thus boost the performance since there will be less loading time
You can do base 62 encoding here
Other than that you cannot host your javascript file into an non downloadable form!!
Same goes with CSS too.
Once someone enters the full link the css/js files will be shown. All the files be available in the clien machine!!
To put up a plain straight answer to your question, the answer is NO
In order for visitors to see and use your site, they will have to download the necessary styles and scripts.
You can compress and obfuscate your code of course (the former actually benefits the end-user), but that's the best you can do; it won't stop someone from ripping it and using it as-is for their own nefarious purposes.
Now, your code is technically copyrighted; if you find someone who infringed on this copyright and they're using either a literal copy or a substantial part of your original work, you could theoretically sue them. Whether this is a viable approach is a tough question to answer and you will need someone with at least some kind of law degree and/or experience in this field.
Personally I would say that your chances of successful legal retribution are low, but so is the chance of someone stealing your code and profiting from it.
Is there any way to "edit" a "server side" javascript file in one of the mentioned browsers that will save the js edits on the client side and replace the server side scripts?
Basically I want to edit the javascripts on the server. Obviously I can't save them on the server so they need to be saved on the client side(my computer) and the browser needs to load my scripts instead.
It shouldn't be hard to do at all but I've not been able to find any way to accomplish this.
Edit:
I want to modify the javascript's from a site I do not own or have write access too. e.g.,
Html page uses some javascript page on server. I want to modify this javascript file(the actual file).
I can download and save the javascript file BUT the html page will always use the one on the server because that is what is in the script tag. I need to modify the script tag of the html page to point to the local javascript file BEFORE the html page's scripts are executed(else the javascript from the server will be used).
here, for example, is a script tag from SE:
<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js"></script>
It uses a non-local javascript file. I need to replace this line with my own line before any javascript is executed. It would like like:
<script type="text/javascript" src="file://C:/temp/myjquery.min.js"></script>
or whatever. (this way, I can modify the jquery file and have it execute my own version of the one on the server)
I, could, ofcourse, download the html file and modify it BUT then php code may not work among other things. (for example, relative links will be broke)
this is usually very easy in Opera: Just view source, edit what you want and use the special "Tools > Advanced > Reload from cache" command instead of a normal reload. Voila, you'll be running the site with your modified scripts..
(There are some exceptions, related to specific no-caching techniques some sites use it won't work 100% for all files - but it certainly should work for anything served from googleapis.com)
I think what you're looking for is something like LiveReload
It allows you to edit css files and have the browser apply the changes without refreshing the browser.
The windows version is in alpha right now but the Mac version works quite well for CSS.
I don't know if it does Javascript but I think it might.
You could also try the Chrome DevTools. It's a chrome extension that does just what you want with javascript and css.
No problem, you want to use bookmark-lets for this. Indeed it is easy, just remember to use an anonymous autoexecuting function: javascript:(function(){ //commands })();
In the sane good old day's one could even place this javascript directly into your addresses, but nowaday's some browser-builders (like firefox we coders USED to trust in the old day's) are being a 'good boy' and listen to facebook's 'demands' to kill normal standard functionality in favor of their lack on comprehending closures... But alas..
Ofcourse you could also create a bookmark to fix firefox's insanity, again reclaiming power to the user :)
Every time you visit the site, you click your bookmarklet. Done.
One can even make it 'memory resistant' for as long als you are on the same page (if you really want to). Naturally power is with the user/visitor AS IT SHOULD BE, not with the webmaster (who already publicly shared whatever info).
You might also look into greasemonky on firefox and comparable solutions.
Good luck
Build a string on the server side to write all your javascript code on the server side.
I'm writing a javascript that generates some data. I intend to use it as a free web application, open for everyone that want to use it.
But I got a lot of time and effort to write this this script (mainly because I want it to personal use and I couldn't find anything efficient and resumed as this). I'm a beginner developer and I know is impossible to protect or obfuscate the script because you don't even need other app to decoding obfuscated info, there's a lot of methods and the laziest is just find the "eval" word in the js file and replace it with "alert". When you open the html page boom you receive a popup window with all the code decoded...
What I'm asking is if there's anyway to prevent when a user "save as..." the page with the browser, the javacript and css files do not be saved in the structure.
In the past I tried to save some pages with the browser and I only could save the html file (and sometimes not even with all the html information, I suspect there was iframes), no js and no css... I tried with some websites downloaders (sitesucker,deepvacumm,etc) and not even with this downloaders I was able to download the files. The only way was to "inspect" the page and download it manually and make the folder structure manually.
As I said I want to give this script totally free as a service (I will even buy a domain for it) because I made it with love. My only request (to receive some kind of personal pride) is that when people want to use it they came to my site and made it in real time and if they "save as..." the page, they can save the generated information that don't save the script, so they came back again to use the service.
Does anyone can help with some tips and information. Links, advices, professional and personal tricks?
I think it is not possible to prevent access to the Javascript code in the browser. I also think that by minifying the JS code e.g. with Google's Closure compiler (ADVANCED option) you protect your code as much as you can. Although the code can be copied as it is, it cannot be understood or modified with a reasonable effort.
You could download all JavaScript/CSS files through one JavaScript file (a loader), like this. That way, downloaders have to execute JavaScript before they can know what JavaScript/CSS files are included, which I don't think they do. As I said in my comments, I'm not entirely sure whether this works!
HTML:
...
<script src="loader.js"></script>
<!-- no other JavaScript/CSS here -->
...
loader.js:
window.onload = function() {
var head = document.getElementsByTagName('head')[0]; // the <head>
var scriptElement = document.createElement('script'); // create <script>
scriptElement.src = 'file1.js';
head.appendChild(scriptElement); // add <script> to <head>
var linkElement = document.createElement('link'); // create <link>
linkElement.setAttribute('rel', 'stylesheet');
linkElement.href = 'file1.css';
head.appendChild(linkElement); // add <link> to <head>
}
Convert your code to a server side script (PHP, Python, C#, etc). It's the only way to be sure your users won't be able to "steal" your work.
JavaScript must eventually be decoded by my browser, and at that moment, is available to me too, and there is no way to prevent it, you can only make it harder.
But the bottom line is: why do you have to do it? If you only want "personal pride" wouldn't it be better to upload your code to a collaborative site like github or SourceForge where other people can appreciate your work and maybe even contribute to it?
Also, if you share your code under a licence like GPL or CC everyone who reuses your code must give credit to you (yes, one can simply steal it, but that is possible under your scenario, too).
There is really no technical solution to your problem: if the user can execute your javascript, they will have to download it somehow. Whatever solution chosen, anyone with sufficient knowledge of Firebug or the Webkit inspector will be able to retrieve the script. You can obfuscate it my minifying it, but it will not prevent anyone to use it as-is.
The solution to your problem is legal, not technical. If you explicitly state, in your Javascript header, that the script is under a restrictive licence, anybody copying it would break the law. If you find somebody doing this, you can then:
nicely ask them to remove the script from their site
threaten to sue?
(by the way, if I may give a personal opinion here, there is much personal pride to be had in giving away code anybody can re-use... you can include your name and a link to your site in the header of the script: it is considered very bad form (and potentially illegal) to remove attribution and copyright notices)
My understanding was that only the javascript code placed inline in the HTML page would show, never the code stored in .js files
...and I had never seen in any browser code in a .js file show on the clientside...
until I started to use Chrome and noticed all my code is available for viewing???
Have I been convincing myself the code is safe in .js files, when in fact it never was?
and while on this subject can a responder be totally clear whether the code in .js files can be hidden or not.
I have read many posts that left me doubting whether it can be done or not.
. Some say to place it in a .js file on the server so it executes on the server...
--- using 'language=javascript' and an html line with 'runat server'? no idea how to do that.
--- But, would that not defeat the purpose of speed, and refresh since the server has to be accessed?
--- might as well code it in the code-behind???(C#, VB, php, ...)
. Some say use an AJAX call etc... but it seems others contradict that, saying the code lands on the clientside anyway thus will show? ...and I am assuming this would be a callback with no page redraw...
JavaScript is executed in the browser, this means the script has to be submitted to the client. So, of course anyone can view the code, wether it's happening in the developer tools, getting the direct link out of your html or, for example, using a http sniffer.
Altough, there are some methods to make the script unreadable for humans.
Minifying your script is a good practice in general. It decreases file-size, so the client has to download less, speeding up loading time. After all, this does not really help making your script "unreadable" for users, there are a lot of deminifying services all around the web.
Still, there is another way: obscurifying (or obfuscate) your script. This replaces the code to make it unreadable. Unfortunately, I don't really have experience with using this technique, so I don't know how it would affect the performance of the js-code.
Maybe you want to have a look at this: How can I obfuscate (protect) JavaScript?
Javascript code can be seen even if its in a .js file the only thing you can do to make it little tough to understand is minify the js file.
Actually, javascript code stored in a separated file wont be shown directly; the user must explicitly type the name of the file in the address bar to see its content.
The only way to hide it is, as said before, to minify the file, which compress the file and make it unreadable for humans.