Click here to Skip to main content
14,774,504 members
Please Sign up or sign in to vote.
1.00/5 (1 vote)
I have this project (C# ASP.NET Web Forms & Web Services) in which I am loading & binding search results using jquery ajax. It is working fine and it's very fast.

But the only security-related problem that I am worried about is that the ajax javascript code is visible to all users in the dev tools.

function loadEventNotification(refEventID, sequence, listActiveType, filterType) {
    try {
        var param = 'RefEventId : ' + JSON.stringify(refEventID) + ' , Sequence : ' + JSON.stringify(sequence) + ' , ListActiveType : ' + JSON.stringify(listActiveType) + ' , FilterType : ' + JSON.stringify(filterType);
        var notifID = 0;

        $.ajax({
            type: "POST",
            url: "../Services/CMEventDataService.asmx" + "/" + "CM_LoadEventNotificationWS",
            data: "{" + param + "}",
            contentType: "application/json; charset=utf-8",
            dataType: "json",
            success: function (response) {
                var total = 0;
                if (response.d == 'NOAUTH') {
                    message = 'Error : Your are not authorised to access this service';
                }
                else if (response.d == 'ERROR') {
                    message = 'Error : Unable to find records';
                }
                else if (response.d != '') {
                    var list = eval(response.d.replace(/\\/g, "\\\\"));
                    total = list.length;

                    var notif = '';
                    $.each(list, function (k, v) {
                        //Some Html stuff gos here
                    });
                    $(document).find('#cdsn-items').html(notif);
                }
                else {
                    message = 'No matching records found';
                }
            },
            error: function (response) {
                message = 'Error : Unable to load records';
            },
            timeout: 120000
        });
    } catch (err) {
        console.log(err.message);
    }
}


Can I in anyway hide this code from the users?

Once somebody is able to see the js ajax code then they will pick up the URL of the Web Service. I have made sure that the web service cannot be called from other domains (NOAUTH error)

But still, the code is exposed in dev tools

Any suggestions? Highly Appreciated

What I have tried:

I tried finding ways of calling a server-side code but so far no help
Posted
Updated 27-Aug-20 17:23pm
Comments
F-ES Sitecore 25-Jul-18 4:32am
   
Even if you could hide the code I could still use the network tab to see what urls you are requesting. BTW don't update your question to ask how to disable the dev tools, that's not the solution either. Not building a client-side system that relies on secrecy is the solution.

No. Javascript is "human readable" and is an integral part of the web page - you can't "hide" it from the page without the browser being unable to read it.
The only way to hide it from the browser is to keep it entirely within the server.
   
You can "hide" the part of code you want to by using "obfuscated" method.
That means your code will be non humanly readable.
   

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900