0

Well I have a non-jQuery ajax function:

function callAjax(){ //will be sent to node server
    var xmlhttp;
    // compatible with IE7+, Firefox, Chrome, Opera, Safari
    xmlhttp = new XMLHttpRequest();
    xmlhttp.onreadystatechange = function(){
        if (xmlhttp.readyState == 4 && xmlhttp.status == 200){
        canAjax = true;
        //do something
        }
    }
    xmlhttp.open("GET", "string", true);
    xmlhttp.send();
}

and a function that calls it:

function a(){

    if(mouseIdle && canAjax){

    callAjax()
    }

}

This is kind of an api I give to my clients with a following:

<script src = "mysrc">

the problem is, anyone can easily delete these if's if they wanted(including their clients), and I can't figure out a way to make it uneditable, or at least preventable. I just want my javascript code to be untouchable from the inside, how can it be done?

Improve this question
1
  • JavaScript is client side, you can't control it. Uglifying your code could help you. Commented Mar 30, 2016 at 13:59

2 Answers 2

Reset to default
2

Like Quentin said, you can't control JavaScript on the client side, that's just how the web works.

You could implement a simple auth system using tokens.

Your token should be something hard to guess to discourage brute force attacks, like the SHA256 hash of the current time. The empty hash for sha256 is below:

e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Then you could save this token key in your database (MongoDB, MySQL or other) and you need to obligate your client to send their token in each request they make.

After this you just need to validate the usage quota to that key and decide if you should serve or not.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Nice answer. btw how should the tokens be removed from DB once the user has stopped using the website?
@user1938653 - You can build a really simple backoffice for your own use to control which tokens have access to the endpoint and how big is the usage quota
0

It can't.

Anything you send to the client can be edited by the end user or duplicated, edited and placed on another website.

If you want to limit accesses to your Ajax endpoint, then you'll need to put the protection in on the server. For example, with IP address linked rate limiting.

Improve this answer

9 Comments

Another method is adding a simple auth method, with a token for instance, so that he can control the requests for that client regardless the IP address
@rafaelcpalmeida — That would depend on being able to limit access to the end point to specific people, the question didn't give me the impression that was feasible.
What are the recommended ways in controlling Ajax requests, or requests in general? I need to be able to make sure the client doesn't overflood me with requests.
@user1938653 — See the final paragraph of my answer.
Hey rafaelcpalmeida, that token idea sounds pretty good. any examples on how to implement one?
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.