securing service url inside js file

I am having service oriented application where there alot of wcf services being called from javascript , is there a way that I can encrypt or do anything regarding the service url inside the js file? I mean someone can ta开发者_运维问答ke the url and make millions of request for the service and get the server down.

At some point, the url shall be decoded, for the simple reason that it has to be used at one time or the other.

If you have a debugger enabled (chrome or firebug), you can easily follow what ajax call is made, and simply click the url to do it again!

You can "encrypt" the js by minifing it, and push by tweaking/writing your own minifer/packer.

The best way to secure it, is to validate the call on the backend (your server).

If you want to push it really hard, you can encrypt the url part after your server, and use the seed as subdir (www.your.server/sha1EncodedSubUrl?prm=1&etc=more) for each call.

Then you have to make sure your server is able to decode the url, and link/decode the encoded part to the server file who will respond.

You can then put a time to live to the encoded url, or link it to the session. There may be some modules/plugins for servers who do just that, like "handy/pretty urls" mods, but I don't know them.

Alternatively you can send the seed as passthrou (ajax sends it back as parameter). by example www.yourserver.com/yourAjaxResponseFile.phpjswcf?prm=1&etc=moar&seed=H48KKSJ17JU

The browser must be able to read the URL to make the call; that means at some point it will be available in plaintext and thus available to a malicious user in plaintext.

Two things to note here:

First, there should NEVER be any sensitive information in javascript code. That means passwords, encryption keys, or any information that could remotely be used to do something the user is not authorized to do. Minification/Packing only makes the code harder to read, but will not stop a determined attacker. All the authentication and security must be done on the server side, which is the side you can control.

Second, if your service security relies on the URL not being known, you don't have security at all. You can use WCF throttling to try to prevent DOS attacks. A firewall should also help stop this kind of attack by dropping the packets before they even reach the service.