0

Would it be possible to display different content if someone opened one of my .js or .css files in a browser? I configured Apache to execute PHP code in .js and .css files. How can I detect if the file was requested by a webpage or viewed directly by an user?

Edit: I know there's no way to hide my files 100%. I'm looking for the best way to discourage people from copying my code.

Improve this question
2
  • 4
    You can't. Best you can do is obfuscate and minify it. Commented Jan 1, 2012 at 5:17
  • 3
    This is yet another case of "You can't give information to someone without giving them the information" Commented Jan 1, 2012 at 5:24

2 Answers 2

Reset to default
7

Nothing on the web that works in a browser can be genuinely cloaked. The browser is just an agent requesting the file, same as any agent requesting the file for any use. A server knows no difference between a browser downloading a JS file as part of a web page and a user downloading the JS file to view it. To the server, they are just requests to download the file. The server doesn't know what's going to be done with it.

Even further, JS files and CSS files are usually kept in the disk cache (for performance reasons) where they can be retrieved independent of the server.

The only thing you can do is to obscure your code with minification and obfuscation. Minification makes sense because it also makes thing more efficient. I wouldn't personally recommend obfuscation because it doesn't really stop a determined viewer - it only slows them down slightly. If the browser can understand the JS file to run it, then so can a hacker.

In general, people seem to think that their javascript is somehow way more important a secret than it really is. If you do have some sort of secret algorithm that really needs to be protected, then your best bet is to keep the code for that on the server and use ajax calls to access it from your client javascript as needed.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I think your last paragraph really sums it up. If you don't want people to see it, don't send it to them. Keep your secrets on the server.
+1. Further to your last paragraph I think some people have an over-inflated sense of how good their own code is, too, like there are thousands of people out there lining up to copy it. (I don't mean to imply the OP is such a person; I think this is a question all web developers ask at some point.)
0

You can detect if the file is called directly by the user checking the HTTP Referrer header. But it will not prevent the user to check in Firebug or equivalent tools to see the source of your script.

Improve this answer

1 Comment

Or just set the referrer header as desired - something any determined hacker can do (though it's easier to get it from the disk cache) or capture it in a network traffic analyzer. There is no way to allow a browser access and not allow a human access.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.