0

I want to know how to make it so that users the visit my website can't see a javascript script file.

Let me elaborate:

Sometimes, in my Javascript, I have some config information for stuff like Firebase that I don't want others to see. If someone has that information, they could potentially take it and run it on their localhost and mess with my data. I need to have the private config information on my websites Javascript, or else the site won't work. But if others see that script, then they can copy it and use it on their site, which will mess up everything. I want to know how to make a private script.

If that's not possible, that's fine. I just want to know what I should do then.

Here are some things I have tried:

<!DOCTYPE html>
<html>

<head>
  <script>
    // config information
  </script>
</head>

<body></body>

</html>

But that doesn't work. With Inspect Element, a user can easily find it.

Another idea was this:

<script src="js/config.js"></script>

But that doesn't help either, user can just inspect element, then right click on the link and say "Reveal Script in Source Panel"

What should I do?

If it's not possible to make the script private, just tell me. I just want to know what I should do.

Improve this question
14
  • 2
    if a browser needs a file, then a user can read the file - you'll need to start from scratch Commented Jul 2, 2018 at 5:08
  • @JaromandaX What do you mean? Commented Jul 2, 2018 at 5:08
  • 2
    You absolutely do NOT want to do that. Find another way...Perhaps serve your index.html with an ExpressJS app and expose an endpoint such as /config or /authenticate and do the authentication on the server side, then return the result as JSON. Then, on the client side, you can use the result without having exposes configuration details. Commented Jul 2, 2018 at 5:10
  • 2
    yes, I know exactly what you are saying ... you don't understand what I'm saying Commented Jul 2, 2018 at 5:11
  • 2
    As @JaromandaX said, if the user owns the browser, the user can see the file. That is why they are the "client." I'll give you an analogy. Your website is a restaurant, you are the server, and the person opening your site is the client. Only the server (the chef) knows the secret recipe (config files) that are used to prepare a dish (webpage). You then "serve" the dish to the client. You don't put your secret recipe on the client's plate (client side code) because it's their food to eat. Commented Jul 2, 2018 at 5:13

2 Answers 2

Reset to default
3

All client resources like HTML, CSS, JS, images and other files should be public. You can hide the file by adding an entry to .htaccess, for example:

RewriteEngine on
RewriteRule \config.js$ - [R=404]

but in my opinion it does not make sense, this file is probably needed to run your application. All files served to client applications are public. Don't keep sensitive data in JS files, you can keep sensitive informations in configuration files on the backend siede but you can't share them with the client side application.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Will accept your answer but it says to wait 3 minutes
Happy to help. Best regards.
1

Hi looks like you need to call firebase api. But don't do this in javascript from client side you should never render sensitive info to client side. Do a call on server side on post back from client instead.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.