问题
This might sound silly, but as a developer, I'm using the debugger in Chrome every day to test my web applications, but although these tools are valuable for us developers, it might also be used against us by users how wants to mess with our systems.
You probably know that it is fairly easy, using the debugger, to re-enable a button that was previously set to disabled, or change the value of hidden tags or variables. It would then be easy to post a form that is not suppose to be sent, with forged values...
Would it be a way to prevent all debbugging tools to be used when your page is displayed in production environment?
Some sort of meta tags that could be added to the web page, or something else?
I know I could scramble my JS scripts but is there any other ways?
Thanks
回答1:
No, this is not possible. As John Conde said you should use server-side validation to protect against invalid input. Even without a "debugger" as you call them, a user can always GET/POST a request (with bogus data) to your form submission URL.
回答2:
JavaScript validation is for improving the user experience, not for protecting your data; it runs on the client, so a malicious client can always change it. Anything sent to the server needs to be validated by the server, where the client can't mess with or bypass the validation.
In addition to debuggers, there are tools such as cURL that can be used to send any GET or POST request to your server. As a developer, cURL is pretty handy for letting servers communicate with each other (the time I used it, it was because my database was on a different web server than my UI), but it means that your server has to be able to safely handle any request sent to it, even those your JavaScript does not allow.
回答3:
I have 2 ideas to limit this to 80%.
- Prohibit right clicking
- Use the setInterval function to monitor the change of html tags. If it is changed back to the original value or redirects the website to any other address, for example google.com.
来源:https://stackoverflow.com/questions/20887053/how-to-prevent-users-to-go-in-debug-mode-with-their-browser