开发者

Block access to JavaScript file

Let's s开发者_Go百科ay I have a JavaScript file... using .htaccess is there a way I can make it so a user can NOT look inside the JavaScript file?


RewriteEngine on
RewriteCond %{HTTP_REFERER} !http://your-domain\.com/.* [NC]
RewriteRule ^.*js$ - [F]

This will return 403 code (forbidden) when referer is outside your domain for all JavaScript files.

NOTE: But this solution will only make access to the file harder. If someone will want to see the file, he will do that eventually. Because you can't fully block the js files, if the browser can read it, the user also will. Example: you only can open dev tools and you will see the source. Or if someone will figure out that the block is by referrer he can create link to file or use other way to add the header to the request.


No. You can obfuscate it or hide the javascript inside another container (like inline in your page), but not prevent them looking at it.

If you block it with your htaccess file, then the browser will not be able to download it and use it, which makes it pointless having the javascript file. Once downloaded by the browser it sits in the cache on the local machine, so a determined/knowledgeable person can find it and inspect it. If you obfuscate it you will make it very hard for the user to comprehend it, so maybe that is the best option.


The only way to make your javascript more-or-less "difficult" to read is by compressing and obfuscating it.

Here are some solutions:

  • YUI Compressor
  • Online Javascript Compressor


You can use http://dean.edwards.name/packer/
Check the Base62 encode and Shrink variables boxes to make the JS code hard to read.

Then you have Yahoo compressor: http://developer.yahoo.com/yui/compressor/
And the Google compressor: http://code.google.com/closure/compiler/

The first one is on-line, the 2 last ones need some installation on your machine.

But... as the browser needs to understand the javascript it receives, a patient and decided person will be able to reverse engineer it. But the compressors above will discourage many of them.


This is really a pointless exercise. If somebody can run your Javascript on your site, he can run it anywhere else he likes and make any changes he wants. This has not proven to be a very big problem in the history of the Web, so I wouldn't waste much time on it.

If it's really that big of a worry that somebody will "steal" your Javascript, copyright is your best weapon. If some algorithm is secret, do the processing on the server and just provide the result.


You Can't Really Protect Your Javascript Files


Using Developer Tools on Google Chrome:

Click on Resources > Your Site > Scripts > filename.js

And it will appear right there Crystal Clear.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜