How to hide app.js, controller.js files or code?
They are visible in html source. Is there anyway to hide them?
-
You cannot hide but you can always minify your script. Search for javascript minification.Chandermani– Chandermani2013-10-20 09:55:21 +00:00Commented Oct 20, 2013 at 9:55
-
Angularjs code is javascript, and js is always visible to user, though you can obfuscate it.defau1t– defau1t2013-10-20 09:55:42 +00:00Commented Oct 20, 2013 at 9:55
-
@defau1t Thank you for your answers.. But i dont mean angularjs it self.. for example my controller and route codes visible to user? i use php for backend. is it not a vulnerability that my controller and route codes visible to user? sorry for my englishOMahoooo– OMahoooo2013-10-20 09:59:20 +00:00Commented Oct 20, 2013 at 9:59
-
I don't think there is any problem with that. Take a look at this angular site, fontdragr.com if you do a view source you could see all the services, factories, directives in view source.defau1t– defau1t2013-10-20 10:45:54 +00:00Commented Oct 20, 2013 at 10:45
-
2All your actual security checks should be done server-side anyway. All you do with angular/js/html is to give a presentation to the user. All the sercurity features you got in angular itself are for the user using his browser, not for preventing him to do anything wrong...s-hoff– s-hoff2014-09-17 20:13:07 +00:00Commented Sep 17, 2014 at 20:13
Add a comment
|
5 Answers
This cannot be done.
But you can use tools for minify the sources. See Google Clousure and ng-min for angular.js
I recommend you to use grunt to build one single js file for you application, with all of your code minified. Take a look at those projects that may be useful: ng-boilerplate and yeoman - angularjs
Comments
You cannot hide angualrjs. Its based on Javascript. To minify, doesn't help because anyone can convert it back to human readable view (sure if anyone wants to steal your code). Any sensitive logic try to put on server side.
Hope it will hep,
2 Comments
praneybehl
I am sorry if it sounds like a noob but I am fairly new server-side JS programming and quite intrigued by how it all works. How is it possible to keep sensitive logic on the server?
Maxim Shoustin
@praneybehl means to write it with PHP/Java but not on client side
- minify
- uglify
along with minify you must uglify your code, which make it difficult to understand, it will renames the variables and function in very ugly manner, not easy to break the code.
Also you can encrypt it well, you have and have to decrypt when it is needed to use, and that can't be remain hidden from the front end tools
3 Comments
kzh
Please explain "Also you can encrypt as well"
Red
@AnkitBalyan That doens't encrypt you JS code, thats just not possible. How would your browser be able to run the JS code if its encrypted code!?
Ankit Balyan
@Red That's exactly what I've mentioned in my answer. "you have and have to decrypt when it is needed to use, and that can't be remain hidden from the front end tools"
You can hide your javascript code using NGINX server subrequest.
If you have /admin route in angular, backbone or other js framework and you want to hide it for unauthorized users, you can make subrequest in NGINX to backend, which checks if user is authorized. If not, then you throw 404 or make redirect to homepage.
This is nginx module which contains more details: http://nginx.org/en/docs/http/ngx_http_auth_request_module.html
The code in NGINX looks more or less like this:
location ^~ /admin {
# checking in background if user is privileged
auth_request /auth;
root /var/www/angular-client/;
}
location = /auth {
proxy_pass http://backend.cms/api/v1/users/admin.json;
proxy_set_header X-Original-URI http://backend.cms/api/v1/users/admin.json;/
}
Comments
This is the natural behaviour of a front-end framework; you do not hide the source code. There should be no sensitive data whatsoever in your front-end, especially no passwords. Just like Stack Overflow, all the font-end code is and will always be visible to the user.
