问题
I have an application which is written in angularjs. However, this problem applies to javascript applications in general.
The user calls the index.html in the browser, which then presents him the login page. However, in the background, all javascript files are being already loaded. Therefore the user could in theory read the code (even when obfuscated and minified) and gain important information (keywords, rest call urls and so on). Even if I would do lazy loading of js files, the user still can lookup the js source path and pull it from the server. Is there a way to prevent a user from doing so?
EDIT: or is there at least a way to prevent the user from seeing the js source before has successfully authenticated himself (no prevention of reading the rest api url)? My application contains data (data!=rest call data but Strings in the application itself) which one should not know when he is not authenticated.
回答1:
In my current apllication I use PHP for the REST part. So it's pretty easy to have index.php handle the login in a classical way and if the user logged in i'll head to the actual Angular App.
All my REST functions do a logged_in check and if it fails, head back to index.php. Also my partials are PHP templates that do checks for Login, Rights and Ownership that chicken out if something is wrong or just don't include crucial script parts or replace them with something that the user is allowed to see.
So everything security related is handled on the server side, all the convenience on the client side.
And yep, i can live with the fact that a hacking attempt or a failed login reloads the minimal login page.
回答2:
No, there is no way. Even if the user don't have access to the JavaScript files, he can monitor the traffic between his browser and the server so he would be aware of the communication protocol and all REST calls.
来源:https://stackoverflow.com/questions/21572534/prevent-user-from-reading-javascript-data-and-files-when-login-fails