I've noticed on viewing the source of my Rails app that a lot of information is publicly available that shouldn't be - specifically a Google Analytics script that contains my GA account number, and the authenticity tokens for my forms. Are there any guidelines on hiding this kind of code in the source?
+1
A:
Your Google Analytics ID and the authenticity token both need to be available for the browser to do it's job. They don't need to be hidden. There is no security risk associated with letting a user see them.
calmh
2010-10-27 17:40:01
Yeah? Okay, feel dumb, but thanks.
kateray
2010-10-27 17:43:47
A:
If by "view source" you mean the HTML returned from the server, then no. There are services and products that will encode your page and make it difficult to decipher, but it's never impossible as your browser will ultimately have to do it in order to render the page. Most of these page encryptors, as they are sometimes called, will make your site impenetrable to search engines since they won't run your JavaScript before indexing the page.
Have a look at other sites and you'll see it's fairly common practice to leave this sort of stuff open since the time and effort involved in obscuring or hiding it is a waste of time. So long as you're not revealing any sensitive information inadvertently, like your Amazon S3 account keys or the secret used for encrypting your session, which is unlikely to happen by accident, then you'll be fine.
Think about it for a moment, though. Without the browser having access to your Google Analytics account number, how would the Google script know which account to track against?
tadman
2010-10-27 17:41:30
A:
I don't think it's dangerous to have your authenticity token there. In order to see that authenticity token, a user has to be logged in. It doesn't matter if that user has the authenticity token for that session or not. It should expire when the user logs out.
However, it is possible to hide these things from the source if you want to (although they'll still be available if you have Firebug or a similar utility).
For your GA script, you could consider it a resource. Your application.js (or some other included js file) could make an AJAX call to the controller (the request header has to accept javascript) and your controller could send back a js.erb file that has the script included. This js is now only visible in Firebug if you look at the response to the request to the controller. You will not see it in the source.
For the authenticity token, you can do something similar. I've created a JavaScript form builder in one of my apps. This form builder is a resource which is once again retrieved through an AJAX call and sent down as js.erb. The js.erb file has a FormBuilder constructor. Within that constructor, there is a builder.form() function which does this:
return $('<%= form_for @object do |f| %> <% end %>');
That will return a jQuery object which contains a Rails form with the authenticity token and all the other goodies.
If you want your JS form builder to do more than just spit out a form (e.g. dynamically create properties for the builder object based on the object's attribute names which contain inputs, checkboxes, and collections for the corresponding attributes), talk to me and I can tell you how I did that too :)
Samo
2010-10-27 17:48:10