My doubt still remains and I hope that this time I'll be clearer. My main concern here is to hide this piece of code, which is part of a GET request that sends data to the server and which could be used by MALICIOUS people to attack my application. I don't think it can run on the server side without being seen by the client. So how can I really hide it? ```js function toggleCmmt(cmmtValue) { var img = document.querySelector(".imgvtCmm"+cmmtValue); var currentSrc = img.src; var increment; if (currentSrc.endsWith("assets/imgs/icons8-thick_arrow_pointing_up.png")) { img.src = "assets/imgs/activeUp.png"; increment = 1; } else if (currentSrc.endsWith("assets/imgs/activeUp.png")) { img.src = "assets/imgs/icons8-thick_arrow_pointing_up.png"; increment = -1; } var numberVoteDiv = document.querySelector(".vtscmmt"+cmmtValue); var currentVote = parseInt(numberVoteDiv.textContent); var updatedVote = currentVote + increment; numberVoteDiv.textContent = updatedVote; const user = document.querySelector(".user").value; const idcmmt = cmmtValue; const url = `phpsend.php?u=${user}&idc=${idcmmt}`; sendToServer("GET", url) .then(responseText => { numberVoteDiv.textContent = responseText; }) .catch(error => { console.error('Erro:', error); }); } ```
You have the user ID in a hidden field. You need to put some secret in another hidden field. This could be a digest of the user password or a digest of the user ID and salt or whatever. Pass that secret back to the server to verify the request.
That's EXACTLY what I did. I believe I now have a lower chance of being hacked. The service I'm working on is still in a development environment, but I'm already looking for more robust solutions for better security.
I dont know what you want anyone to say. for code to run, it must be executed on a machine. That machine be either be the clients device or the server. If you do not want the client to be able to see the code, then you must not transmit it to them. meaning that you can not have the code run on their machine. it must be server side only. there really is no other way. If you need to, try to split up the method. Keep in mind i dont know nothing about php. However i can imagine that its possible to have half the code on the client device grab a few values (based on what the users action is) and pass those to the backend which will receive it, determine the right action, then return the appropriate response. checks on the backend that verify that recieved cmds fall into only a few exact matches should limit what a bad actor can do, however, there is no real way to prevent someone from sending custom crafted http request to a server. thats just not how the internet works. Even if you did manage to hide EVERYTHING in the backend, there is nothing that can stop someone from sending custom http request. you need to make the server resilient and have checks for incoming request like this. there is no good solution I dont have any example code.
I see that the only solution is to strengthen the checks in the backend so that they limit any bad intensions.