Let's say I have a JavaScript file... using .htaccess is there a way I can make it so a user can NOT look inside the JavaScript file?
A:
No. You can obfuscate it or hide the javascript inside another container (like inline in your page), but not prevent them looking at it.
If you block it with your htaccess file, then the browser will not be able to download it and use it, which makes it pointless having the javascript file. Once downloaded by the browser it sits in the cache on the local machine, so a determined/knowledgeable person can find it and inspect it. If you obfuscate it you will make it very hard for the user to comprehend it, so maybe that is the best option.
slugster
2010-09-08 21:43:15
How good would obfuscate it do... like I just don't want them reading the Javasript file... but if it's all garbaged up.. ti would work.
Dan
2010-09-08 21:44:53
Why don't you want them to be able to read it? What function does this javascript file perform that it needs to be hidden?
Hellion
2010-09-08 21:51:00
What I mean is that would anyone be able to UNDO my obsufate to my code?
Dan
2010-09-08 21:51:01
Yes, sure, if they are willing to spend enough time. So if your algorithms are so good that you don't want to share them with anybody, keep them on the server and provide a proper interface to them. De-obfuscating code that is not meant to be public can be fun. :) That is, de-obfuscating would not be possible for *anyone*, only for *someone*.
Roland Illig
2010-09-08 21:53:23
A:
You can use http://dean.edwards.name/packer/
Check the Base62 encode and Shrink variables boxes to make the JS code hard to read.
Then you have Yahoo compressor: http://developer.yahoo.com/yui/compressor/
And the Google compressor: http://code.google.com/closure/compiler/
The first one is on-line, the 2 last ones need some installation on your machine.
But... as the browser needs to understand the javascript it receives, a patient and decided person will be able to reverse engineer it. But the compressors above will discourage many of them.
Mic
2010-09-08 21:54:07
Here's an idea. A PHP include going to a PHP file and inside THAT would be a include to the Javascript file!
Dan
2010-09-08 22:06:51
Also! I can compress the code twice.. once in one compress and take THAT code into ANOTHER!
Dan
2010-09-08 22:09:00
@Dan, then I go to my browser and type the url of your first PHP page, and I get the js ;) Don't loose too much time on that. In the end the source is coming as javascript to the browser and you have to live with that.
Mic
2010-09-09 06:30:15
WEll I don't know if they can RUN the JavaScript - I just don't want them to know whats in it.
Dan
2010-09-09 15:10:45
In our web app, for efficiency and to have a single http call we compress everything in one html page. HTML+JS+CSS. This make the page a long string of ~300kb, I dare anyone to try to read it and understand. Although it is possible.
Mic
2010-09-09 16:54:38
A:
The only way to make your javascript more-or-less "difficult" to read is by compressing and obfuscating it.
Here are some solutions:
Philippe Leybaert
2010-09-08 21:54:39
A:
This is really a pointless exercise. If somebody can run your Javascript on your site, he can run it anywhere else he likes and make any changes he wants. This has not proven to be a very big problem in the history of the Web, so I wouldn't waste much time on it.
If it's really that big of a worry that somebody will "steal" your Javascript, copyright is your best weapon. If some algorithm is secret, do the processing on the server and just provide the result.
Chuck
2010-09-08 22:05:45
@Dan: Have a script (PHP, Ruby, Java — it doesn't matter) on your site that your Javascript calls to with AJAX, providing the input of the algorithm and getting back the output.
Chuck
2010-09-08 22:22:19
A:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !http://your-domain\.com/.* [NC]
RewriteRule ^.*js$ - [F]
This will return 403 code (forbidden) when referer is outside your domain for all javascript files.
jcubic
2010-09-09 14:28:57