Ask HN: How do I hide sensitive parts of my JavaScript code?

1 points by 01-_- ↗ HN

13 comments

[ 4.5 ms ] story [ 43.5 ms ] thread
Keep it server side, and solve your problem without client side Javascript.

Otherwise you don't.

the problem is that I can't do this with ajax requests, they must always be on the client side. I thought about obfuscating and discovered that it's not so secure either
By using a Nodejs backend. Mostly that's where the business logic goes.
You can't have the user download something and then try to pretend they didn't download it. If it's that sensitive, it's gotta be server side.
by definition any code that is not compiled that is delivered to a client application will be less secure than code that is run completely under your control, you say it needs to be on the client side but I have to admit I have a hard time envisioning where code that is sensitive absolutely HAS to be run in the client (I mean truly sensitive, like validating that this is really your bank account, as opposed to just code you don't want others to take and use)
Here's a good article about different methods for accessing and storing secrets in JavaScript: https://thenewstack.io/best-practices-for-storing-access-tok...

It's important to keep in mind that any secrets are the end users' secrets and not your secrets. Don't ever send your private keys to end users. You'll need to either act as a middle man between the end user and any third party, or have the third party generate user-specific tokens that only grant access to resources you have specifically allocated to that user.

If you can give some details of what the page will be doing, I may be able to help you with the general architecture of the data flow.

I really wanted to hide a GET request that is made to the server via ajax. Here is the complete code of what I need to hide the GET request that is sent to the server by the sendToServer(“GET”, url) function.

``` function toggleCmmt(cmmtValue) { var img = document.querySelector(".imgvtCmm"+cmmtValue); var currentSrc = img.src;

            var increment;
            if (currentSrc.endsWith("assets/imgs/icons8-thick_arrow_pointing_up.png")) {
                img.src = "assets/imgs/activeUp.png";
                increment = 1;
            } else if (currentSrc.endsWith("assets/imgs/activeUp.png")) {
                img.src = "assets/imgs/icons8-thick_arrow_pointing_up.png";
                increment = -1;
            }


            var numberVoteDiv = document.querySelector(".vtscmmt"+cmmtValue);
            var currentVote = parseInt(numberVoteDiv.textContent);
            var updatedVote = currentVote + increment;
            numberVoteDiv.textContent = updatedVote;

            const user = document.querySelector(".user").value;
            const idcmmt = cmmtValue;
            const url = `handcmmt.php?u=${user}&idcmmt=${idcmmt}`;

            sendToServer("GET", url)
                .then(responseText => {

                    numberVoteDiv.textContent = responseText;
                })
                .catch(error => {
                    console.error('Erro:', error);
                });
        }
```
I meant a little more abstract description of what the page is trying to do.

I presume you are processing some client-side information and sending the output in a GET request, and you want to prevent the user from sending a nefarious GET request with inauthentic data?

In general, you will need to sanitize the inputs on the server side, to ensure only sensible GET requests are acknowledged, but there will likely need to be more done to verify that the data itself is authentic.

Can you give me an overview of how the information in a valid GET request is obtained, and what a user might be attempting to accomplish with nefarious GET request?

I don't mean source code, just some goals of what you are trying to accomplish by hosting the page, what goals a normal user would be accomplishing in using the page, and the goals a bad actor may have that you are trying to prevent.

send votes with user names that are not in the database, for example. That's what a bad person could do. But for those who are logged in, they can do so with proof of the data already registered in the database.
Seeing that code, I could guess that you want to hide that request because, if people saw it, they'd notice that you can just call it repeatedly with different ids and massively vote comments, which is mildly bad. Not only that, but you can probably just use any user id and just spam-vote anything by massively impersonating other users, which is worse than the previous option.

If that's why you want to hide the request, then I have to say you're doing it wrong.

On the one hand, it's wrong because no matter how you hide that code, I can just open the Network tab in the browser's console and see the request anyway. In fact, my browser is so friendly it offers me to "Edit and resend" the request and I don't need any coding skills to do that.

On the other hand, it's wrong because the problem is not located there, in that code. The problem is located in handcmmt.php and in the way you handle identification. handcmmt.php shouldn't need to receive the user id at all.