I've been working a lot with js and I always get this question. How to hide important and sensitive parts of my application that are available in my js code, part ajax functions of the are listed important paths of the application. Are these obfuscation methods really efficient or can they also be hacked?
`fschmidt` that's not the code, I just used this example to show `davidm8624` what obfuscation looks like
EVERYTHING that is sent to the client device can be discovered. Hell, even with the inspect element tool in the browser you can play around with almost everything. Obfuscation is not a good idea. it just complicates the code, and someone who is really determined to cause problems for you will piece everything together. Making your code deliberately confusing is a stupid and low effort way to solve a problem. Most webpages are designed to be ran similar to a web app. Maybe not for you cuz if your heavy usage of php, but still. The reason that we have been making things this way is because the average computer, including smart phones, have gotten powerful enough to run most websites js locally. Because the logic is done on the device all the functionality is instantly available to the user. This also makes slow cellular data connections less of a pain in the butt. The alternative is to have everything be done server side. this will take the work off of the client device and put all the logic on the server. This can make heavy weight websites easier to run on really low performance devices. however it makes heavier reliance on the network debilitating devices that are on cellular or rural internet. The way and website like this works is basically having everything work through an api layer or sorts. actions on the client device send request to the server which will process then return the appropriate response. Websites that use this method often feel sluggish as almost all user actions are awaiting a response from the server. Another negative is that having your server just listening for request from clients can lead to very significant security issues as someone can use tools (ive only ever use postman a bit so dont ask difficult questions) to poke around and see what they get back. This method will mostly just give you back errors but someone with enough time could eventually come up with some malicious request that could do who knows what. Keeping everything in a black box on the server is often slower, will cost more thanks to higher server usage, can leave you open to types of attacks. client side processing is only difficult for those with really poor performance devices. If you are trying to help users with that issue, you should just work on optimizing your code and cutting out unneeded bits. try to send as little request to the server as that is what takes the longest time and although it might fix your concern of having people be able to read your code, you will end up opening a much more dangerous attack vector that you will now have to be paranoid about all the time. There is no good answer to your question as obfuscation is stupid, and moving everything server side makes the site unusable especially if there are alot of simultaneous users. Some things that are super critical like logins and payment systems should be server side, hence why those processes take longer. But try not to move too much over. Only stuff that you are adamant must not be public.
that's why ofucar in some parts may solve the app's security issue. Especially for those who use Ajax requests. but it seems to me that you still have a lot to say about web application security 8-|
it wont solve anything. itll just make it harder to maintain. all it will do is make anyone who wants to do something malicious take even longer to do it. All obfusc is, is making your code spaghetti intentionally, having bad variable names, and complicating the code so that anyone reading it gets a headache and quits. Its not real security. Its like me putting up a fence around my house. a simple fence will offer very little security. there is NO barbed wire nothing. just a short waist high fence. then i think: well thats not secure. so i put up 30 rows of these waist high fences. all i did, is make the intruder do a steeplechase exercise to break in. its not real security
so tell me: what would be the best way to protect sensitive parts of my code, because in the comment above you weren't explicit enough
I cant be explicit because it is a very vast subject. i believe my last paragraph kinda sums up how i feel about it: "There is no good answer to your question as obfuscation is stupid, and moving everything server side makes the site unusable especially if there are alot of simultaneous users. Some things that are super critical like logins and payment systems should be server side, hence why those processes take longer. But try not to move too much over. Only stuff that you are adamant must not be public." I dont have any good suggestions. what are you trying to protect? look at how big it is. If its a function that will NOT be called frequently, then run it server side. If its something that is called often, you dont want to bog down site awaiting response, therefor you will need to find a different way 2 protect it. so. is it small and infrequently called or not?
will be something that is called without the site being loaded. I got a tool that obfuscates the code at that level, I don't know how secure it is but it already makes the CRIMINALS more lazy to break in. The obfuscation only goes into the production environment, so it's easier to maintain the system. Here's an example of obfuscation: <br>The code went beyond that ```js const message = document.querySelector("#message"); const myArray = ["Laurence", "Mike", "John", "Larry", "Kim", "Joanne", "Lisa", "Janet", "Jane"]; build(); //addClicks(); function build() { let html = "<h1>My Friends Table</h1><table>"; myArray.forEach((item, index) => { html += `<tr class="box" data-row="${index+1}" data-name="${item}" onclick="getData(this)"> <td>${item}</td>`; html += `<td >${index + 1}</td></tr>`; }); html += "</table>"; document.getElementById("output").innerHTML = html; } function getData(el) { let temp = el.getAttribute("data-row"); let tempName = el.getAttribute("data-name"); message.innerHTML = `${tempName } is in row #${temp}`; } ``` for that ```js const _0x5292b4=_0x387b;(function(_0x50e21c,_0x4f7c11){const _0x4de81a=_0x387b,_0x5ac79c=_0x50e21c();while(!![]){try{const _0x404fc0=parseInt(_0x4de81a(0x1ab))/0x1+parseInt(_0x4de81a(0x1c6))/0x2*(parseInt(_0x4de81a(0x1c4))/0x3)+parseInt(_0x4de81a(0x1b7))/0x4+-parseInt(_0x4de81a(0x1bd))/0x5*(parseInt(_0x4de81a(0x1b3))/0x6)+parseInt(_0x4de81a(0x1ac))/0x7*(parseInt(_0x4de81a(0x1b2))/0x8)+-parseInt(_0x4de81a(0x1b8))/0x9+-parseInt(_0x4de81a(0x1c2))/0xa*(parseInt(_0x4de81a(0x1b6))/0xb);if(_0x404fc0===_0x4f7c11)break;else _0x5ac79c['push'](_0x5ac79c['shift']());}catch(_0x13b268){_0x5ac79c['push'](_0x5ac79c['shift']());}}}(_0x2bf8,0xbb711));const message=document['querySelector'](_0x5292b4(0x1b4)),myArray=[_0x5292b4(0x1a8),_0x5292b4(0x1a7),_0x5292b4(0x1b1),'Larry',_0x5292b4(0x1b0),_0x5292b4(0x1ad),_0x5292b4(0x1b9),'Janet',_0x5292b4(0x1bc)];build();function _0x387b(_0x1b82ba,_0x39bc5f){const _0x2bf85f=_0x2bf8();return _0x387b=function(_0x387b59,_0x41ee37){_0x387b59=_0x387b59-0x1a6;let _0x5608aa=_0x2bf85f[_0x387b59];return _0x5608aa;},_0x387b(_0x1b82ba,_0x39bc5f);}function build(){const _0xb624b7=_0x5292b4;let _0x91f2ff=_0xb624b7(0x1a9);myArray[_0xb624b7(0x1ba)]((_0x15e1bf,_0x58a9eb)=>{const _0x1db81f=_0xb624b7;_0x91f2ff+=_0x1db81f(0x1ae)+(_0x58a9eb+0x1)+_0x1db81f(0x1b5)+_0x15e1bf+_0x1db81f(0x1af)+_0x15e1bf+_0x1db81f(0x1c3),_0x91f2ff+=_0x1db81f(0x1c0)+(_0x58a9eb+0x1)+_0x1db81f(0x1c1);}),_0x91f2ff+=_0xb624b7(0x1a6),document[_0xb624b7(0x1c5)](_0xb624b7(0x1bf))[_0xb624b7(0x1be)]=_0x91f2ff;}function _0x2bf8(){const _0x2f8bb1=['751098tpNprQ','7aeMdhC','Joanne','<tr\x20class=\x22box\x22\x20data-row=\x22','\x22\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20onclick=\x22getData(this)\x22>\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20<td>','Kim','John','4177864zXsqwk','1230NDuDPd','#message','\x22\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20data-name=\x22','101013qifLTg','4916916WooDGz','12173805plJNBq','Lisa','forEach','getAttribute','Jane','12295DfotRb','innerHTML','output','<td\x20>','</td></tr>','890uaVwxF','</td>','2988EVIqPx','getElementById','1886MvQzap','</table>','Mike','Laurence','<h1>My\x20Friends\x20Table</h1><table>','data-row'];_0x2bf8=function(){return _0x2f8bb1;};return _0x2bf8();}function getData(_0x104eb7){const _0x2bd0cd=_0x5292b4;let _0x5c7a35=_0x104eb7['getAttribute'](_0x2bd0cd(0x1aa)),_0x5547b2=_0x104eb7[_0x2bd0cd(0x1bb)]('data-name');message[_0x2bd0cd(0x1be)]=_0x5547b2+'\x20is\x20in\x20row\x20#'+_0x5c7a35;} ``` By the way, if this post generates a conversation, don't leave it without a LIKE :)
im saying the same thing as him. obfuscation just annoys people, both you (when you inevitably have to maintain it) and the hackers. if its really important, move it to the backend. but dont move everything to backend or else service will b slower. Also y'd i give this a like? im trying to convince you NOT to do it, not encourage you. lol
Why would you want to hide this? I think there is rarely any Javascript worth hiding, and when there is, move it to the server.