简体繁体 English

网站的信息亭模式

[英]Kiosk mode for Websites

原文 2015-12-13 06:34:30 5 3 javascript/ jquery/ html/ css/ kiosk

Some of the secure websites on internet such as banks etc. have disabled "Right-click". 互联网上的某些安全网站，例如银行等，已禁用“右键单击”。 I know that it's just for preventing the end-user from accessing "Inspect Element" or the "Toolbox" items. 我知道这只是为了防止最终用户访问“检查元素”或“工具箱”项。 But, on some browsers, just pressing F12 key, or any equivalent might does the job. 但是，在某些浏览器上，只需按F12键或其他等效键即可完成此工作。

So, Is there any way to check the webpage for change in code(HTML,CSS and JS) continously, and redirect them to a warning page, if anyone attempts to tamper the code? 因此，如果有人试图篡改代码，有没有办法连续检查网页的代码（HTML，CSS和JS）更改，并将其重定向到警告页面？ or just prevent them before they even try to read the code? 还是只是在他们尝试阅读代码之前就阻止了他们？

3 个解决方案

I agree with jeff in the comments above; 我在上面的评论中同意杰夫； don't worry about those users because you'll never get security tight enough to thwart everyone. 不必担心这些用户，因为您将永远无法获得足够严密的安全性来阻止所有人。 Just worry about the 99%. 只需担心99％。 If anyone says they can prevent all users from modifying browser code it is a lie. 如果有人说可以阻止所有用户修改浏览器代码，那是骗人的。

Do your actual processing and logic on the server side, not in browser, and NEVER trust ANYTHING they send you. 在服务器端而不是在浏览器中执行实际的处理和逻辑，并且永远不要相信它们发送给您的任何信息。 Assume it is a lie or garbage until you validate otherwise. 假设这是谎言或垃圾，除非您进行其他验证。

Disabling right-click is the absolute easiest thing to work around. 禁用右键单击是绝对最容易解决的方法。 You can never completely rely on a web browser to secure your content. 您永远无法完全依靠网络浏览器来保护您的内容。 Additionally, most, if not all, major modern web browsers have built in protection against cross-site scripting. 此外，大多数（如果不是全部）主要的现代Web浏览器都内置了针对跨站点脚本的保护。 These browsers are likely going to be better at detecting these than you are. 这些浏览器可能会比您更好地检测到这些。 I would actually suspect any Javascript attempt you make to prevent cross site scripting could actually make your page more vulnerable to it. 我实际上怀疑您为防止跨站点脚本编写的任何Javascript尝试实际上会使您的页面更容易受到攻击。

Some things you could look into to make your web server safer: 为了使您的Web服务器更安全，您可以考虑以下几点：

When using forms, consider using an anti-forgery token . 使用表单时，请考虑使用防伪令牌。
Always validate user input. 始终验证用户输入。 Your web server sends messages to a client computer which then loads that content into a web browser. 您的Web服务器将消息发送到客户端计算机，然后该客户端计算机将该内容加载到Web浏览器中。 A good hacker doesn't even need a web browser to hack your web site. 一个好的黑客甚至不需要网络浏览器即可入侵您的网站。 So, you can't assume incoming messages are safe at all. 因此，您不能完全假设传入消息是安全的。 This is why you need to validate all input. 这就是为什么您需要验证所有输入的原因。
Consider creating honeypots to detect malicious attempts by robots or hackers. 考虑创建蜜罐以检测机器人或黑客的恶意尝试。

Likely no, because that action(starting inspector) occur on different layer of browser functionality, html and javascript simply has no access to that layer. 可能不会，因为该操作（启动检查器）发生在浏览器功能的不同层上，因此html和javascript根本无法访问该层。 As result it's impossible to prevent that action ( viewing html and javascript of page). 结果，无法阻止该操作（查看页面的html和javascript）。

If you would lock all possible actions which open js inspector. 如果您要锁定所有可能打开js inspector的动作。 I am sure that there ways to lock your event bindings, for instance executing js code prior youth, which make it's impossible to add your own lockers for F12, right click and other actions. 我敢肯定，有一些方法可以锁定您的事件绑定，例如，在青年时期之前执行js代码，这使得无法为F12，右键单击和其他操作添加您自己的储物柜。