none
question about script security RRS feed

  • Question

  • Hello,

    We're developing a web app and we're wondering if there's a way to prevent the user from inspecting the page or seeing the javascript. Most browsers have a console that you can open up and see the DOM elements and any scripts running on the page. Most of them even allow you to hover over variables and see the data, some of which might include database IDs and other private information. While we try to make as little sensitive/private information available as possible, the fact that users can inspect the page and view information behind the scenes is a bit of a security hole.

    What we want to know is: can the viewing of DOM elements or scripts be disabled from the web app side?

    Or: can we at least minimize the javascript when we deploy?

    For this last part, we are using Visual Studio 2015, and Gulp packages to package everything together (javascript, CSS, etc.) during deployment. All I would need to know is how to setup a gulp package to minimize the Javascript (which is packaged into one file during deployment called app.js).

    Does anyone have any tips on how to make sensitive information a bit more secure in the browser console? Thanks.
    Wednesday, October 18, 2017 3:59 PM

All replies

  • Hello,

    We're developing a web app and we're wondering if there's a way to prevent the user from inspecting the page or seeing the javascript. Most browsers have a console that you can open up and see the DOM elements and any scripts running on the page. Most of them even allow you to hover over variables and see the data, some of which might include database IDs and other private information. While we try to make as little sensitive/private information available as possible, the fact that users can inspect the page and view information behind the scenes is a bit of a security hole.

    What we want to know is: can the viewing of DOM elements or scripts be disabled from the web app side?

    Or: can we at least minimize the javascript when we deploy?

    For this last part, we are using Visual Studio 2015, and Gulp packages to package everything together (javascript, CSS, etc.) during deployment. All I would need to know is how to setup a gulp package to minimize the Javascript (which is packaged into one file during deployment called app.js).

    Does anyone have any tips on how to make sensitive information a bit more secure in the browser console? Thanks.

    Examing DOM elements or scripts is not in itself a security issue. Besides, you can't disable them anyway with disabling your web page. In other words, if the browser can "see" the script, so can human eyes.

    However, examining a script might give a hacker clues as to security holes at the level of the database itself. As an obvious example, you don't want the SQL connection string appearing in the script code, and you don't want SQL statements appearing in the script code either. There are more subtle database security holes to be alert to, which is a topic too large to be answered in a forum post. If this is unfamiliar territory for you, I strongly advise you and your group to obtain outside help, particularly if this a commercial application or if the database contains personal and confidential information.

     

    Wednesday, October 18, 2017 7:04 PM
  • Thanks very much Brian,

    I'm looking towards trying to obfuscate the javascript. We package all our javascript into a file called app.js with Gulp. I'm trying to use Gulp's uglify() to obfuscate the code but it's not working:

    gulp.task('dev:js', ['lint'], function() {
        return gulp.src(paths.appjs)
            .pipe(plugins.order([
                'Shared/PartialViews/_mainLayout.js',
               'Shared/shared.js',
               '*'
            ]))
            .pipe(plugins.concat('app.js'))
            .pipe(plugins.uglify())                    // <-- Uglification
            .pipe(gulp.dest(paths.distJs));
    });

    Strangely enough, this works for vendor.js, another file in our application:

    gulp.task('vendor:js', ['install'], function() {
        return gulp.src(plugins.mainBowerFiles())
            .pipe(plugins.filter('*.js'))
            .pipe(plugins.order([
                'jquery.js',
                'bootstrap.js',
                'jquery.dataTables.js',
                'dataTables.bootstrap.js',
                'dataTables.responsive.js',
                'responsive.bootstrap.js',
                'dataTables.select.js',
                'pnotify.js',
                '*'
            ]))
            .pipe(plugins.debug({ title: 'vendor-files:' }))
            .pipe(plugins.concat('vendor.js'))
            .pipe(plugins.uglify())                   // <-- uglification
            .pipe(gulp.dest(paths.distJs));
    });

    Why wouldn't this work for app.js?

    Wednesday, October 18, 2017 9:08 PM
  • Hi gib898,

    Welcome to the MSDN forum.

    Refer to your description, your issue is about the ASP.NET. Since our forum is to discuss the VS IDE, please redirect to this appropriate forum: https://forums.asp.net/26.aspx/1?Configuration+and+Deployment to seek for a better support, thank you for your understanding.

    Best regards,

    Sara


    MSDN Community Support Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com

    Friday, October 20, 2017 7:26 AM