如何禁用浏览器开发者工具?
[英]How to disable browser developer tools?
问题描述
I'm developing a web application and since it has access to a database underneath, I require the ability to disable the developer tools from Safari, Chrome, Firefox and Internet Explorer and Firebug in Firefox and all similar applications. 
I'm developing a web application and since it has access to a database underneath, I require the ability to disable the developer tools from Safari, Chrome, Firefox and Internet Explorer and Firebug in Firefox and all similar applications. Is there a way to do this?有没有办法做到这一点?
Note: The AJAX framework provided by the database requires that anything given to the database to be in web parameters that can be modified and that anything it returns be handled in JavaScript.注意:数据库提供的 AJAX 框架要求提供给数据库的任何内容都在 web 参数中可以修改,并且它返回的任何内容都在 JavaScript 中处理。 Therefore when it returns a value like whether or not a user has access to a certain part of the website, it has to be handled in JavaScript, which developer tools can then access anyway.因此,当它返回一个值,比如用户是否可以访问网站的某个部分时,必须在 JavaScript 中处理,然后开发人员工具无论如何都可以访问这些值。 So this is required.所以这是必需的。
UPDATE: For those of you still thinking I'm making bad assumptions, I did ask the vendor.更新:对于那些仍然认为我做出错误假设的人,我确实询问了供应商。 Below is their response:以下是他们的回应:
Here are some suggestions for ways of mitigating the risk:以下是降低风险的一些建议:
1) Use a javascript Obfuscator to obfuscate the code and only provide the obfuscated version with the sold application;
2) Use a less descriptive name;
16 个解决方案
解决方案1
122 已采纳 2011-09-26 18:20:05
No you cannot do this<\/strong> .不,你不能这样做<\/strong>。
The developer menu is on the client side and is provided by the user's browser.开发者菜单位于客户端,由用户的浏览器提供。
Also the browser developer should have nothing<\/strong> to do with your server side database code, and if it does, you need some maaaaaajor restructuring.此外,浏览器开发人员应该与您的服务器端数据库代码无关<\/strong>,如果这样做,您需要进行一些 maaaaaajor 重组。
"
解决方案2
59 2011-09-26 23:36:04
If your framework requires that you do authorization in the client, then...如果您的框架要求您在客户端进行授权,那么...
You need to change your framework
When you put an application in the wild, where users that you don't trust can access it;当您将应用程序放在野外时,您不信任的用户可以访问它; you must draw a line in the sand.你必须在沙滩上画一条线。
- Physical hardware that you own;您拥有的物理硬件; and can lock behind a strong door.并且可以锁在一扇坚固的门后面。 You can do anything you like here;你可以在这里做任何你喜欢的事情; this is a great place to keep your database, and to perform the authorization functions to decide who can do what with your database.这是保存数据库和执行授权功能以决定谁可以对您的数据库执行什么操作的好地方。
- Everything else;其他一切; Including browsers on client computers;包括客户端计算机上的浏览器; mobile phones;手机; Convenience Kiosks located in the lobby of your office.便利亭位于您办公室的大堂。 You cannot trust these!你不能相信这些! Ever!曾经! There's nothing you can do that means you can be totally sure that these machines aren't lying to cheat you and your customers out of money.您无能为力,这意味着您可以完全确定这些机器不会撒谎以骗取您和您的客户的钱。 You don't control it, so you can't ever hope to know what's going on.你无法控制它,所以你永远无法希望知道发生了什么。
解决方案3
27 2014-02-11 13:26:45
In fact this is somehow possible ( how-does-facebook-disable-developer-tools<\/a> ), but this is terribly bad idea for protecting your data.事实上,这在某种程度上是可能的( how-does-facebook-disable-developer-tools<\/a> ),但这对于保护您的数据来说是非常糟糕的主意。 Attacker may always use some other (open, self written) engines that you don't have any control on.攻击者可能总是使用您无法控制的其他一些(开放的、自行编写的)引擎。 Even javascript obfuscation may only slow down a bit cracking of your app, but it also gives practically no security.即使是 javascript 混淆可能只会减慢您的应用程序的一点破解速度,但它实际上也没有提供任何安全性。
"
解决方案4
23 2011-09-27 02:25:29
There's no way your development environment is this<\/em> brain-dead.你的开发环境不可能这么<\/em>死脑筋。 It just can't be.这是不可能的。
I strongly recommend emailing your boss with:我强烈建议给你的老板发电子邮件:
- A demand for a week or two in the schedule for training \/ learning.培训\/学习计划中需要一两个星期的时间。<\/li>
- A demand for enough support tickets with your vendor to figure out how to perform server-side validation.要求您的供应商提供足够的支持票,以确定如何执行服务器端验证。<\/li>
- A clear warning that if the tool cannot do server-side validation, that you will<\/em> be made fun of on the front page of the Wall Street Journal when your entire database is leaked \/ destroyed \/ etc.一个明确的警告,如果该工具无法进行服务器端验证,当您的整个数据库被泄露\/破坏\/等时,您将<\/em>在华尔街日报的首页上被取笑。<\/li><\/ul>"
解决方案5
20 2011-09-26 18:20:19
No. It is not possible to disable the Developer Tools for your end users.不可以。不能为您的最终用户禁用开发者工具。
If your application is insecure if the user has access to developer tools, then it is just plain insecure.如果您的应用程序在用户有权访问开发人员工具的情况下不安全,那么它就是完全不安全的。
"
解决方案6
13 2014-02-12 10:54:32
Don't forget about tools like Fiddler<\/a> .不要忘记像Fiddler<\/a>这样的工具。 Where even if you lock down all the browsers' consoles, http requests can be modified on client, even if you go HTTPS.即使您锁定了所有浏览器的控制台,即使您使用 HTTPS,也可以在客户端上修改 http 请求。 Fiddler can capture requests from browser, user can modify it and re-play with malicious input. Fiddler 可以捕获来自浏览器的请求,用户可以修改它并使用恶意输入重新播放。 Unless you secure your AJAX requests, but I'm not aware of a method how to do this.除非您保护您的 AJAX 请求,但我不知道如何执行此操作的方法。
Just don't trust any input you receive from any browser.只是不要相信您从任何浏览器收到的任何输入。
"
解决方案7
5 2020-06-19 11:41:09
you cannot disable the developer tool.您不能禁用开发人员工具。 but you can annoys any one who try to use the developer tool on your site, try the javascript codes blow, the codes will break all the time.但是您可能会惹恼任何尝试在您的网站上使用开发人员工具的人,尝试使用 javascript 代码,代码会一直中断。
(function () {
(function a() {
try {
(function b(i) {
if (('' + (i / i)).length !== 1 || i % 20 === 0) {
(function () { }).constructor('debugger')()
} else {
debugger
}
b(++i)
}
)(0)
} catch (e) {
setTimeout(a, 5000)
}
}
)()
}
)();
解决方案8
4 2015-08-12 10:19:21
Update at the time (2015) when this answer was posted, this trick was possible.在发布此答案时(2015 年)更新,这个技巧是可能的。 Now (2017) browsers are mature.现在(2017)浏览器已经成熟。 Following trick no longer works!<\/strong>以下技巧不再有效!<\/strong>
Yes it is possible.<\/s>对的,这是可能的。<\/s> Chrome wraps all console code in<\/s> Chrome 将所有控制台代码封装在<\/s>
with ((console && console._commandLineAPI) || {}) { <code goes here> }<\/code><\/s><\/pre>
... so the site redefinesconsole._commandLineAPI<\/code> to throw:<\/s>...因此该站点重新定义了console._commandLineAPI<\/code>以抛出:<\/s>Object.defineProperty(console, '_commandLineAPI', { get : function() { throw 'Nooo!' } })<\/code><\/s><\/pre>
This is the main trick!<\/s>这是主要技巧!<\/s>"
解决方案9
1 2020-06-05 03:29:58
I found a way, you can use debugger<\/code> keyword to stop page works when users open dev tools我找到了一种方法,当用户打开开发工具时,您可以使用debugger<\/code>关键字来停止页面工作
(function(){
debugger
}())
解决方案10
1 2021-03-27 07:48:58
$('body').keydown(function(e) {
if(e.which==123){
e.preventDefault();
}
if(e.ctrlKey && e.shiftKey && e.which == 73){
e.preventDefault();
}
if(e.ctrlKey && e.shiftKey && e.which == 75){
e.preventDefault();
}
if(e.ctrlKey && e.shiftKey && e.which == 67){
e.preventDefault();
}
if(e.ctrlKey && e.shiftKey && e.which == 74){
e.preventDefault();
}
});
!function() {
function detectDevTool(allow) {
if(isNaN(+allow)) allow = 100;
var start = +new Date();
debugger;
var end = +new Date();
if(isNaN(start) || isNaN(end) || end - start > allow) {
console.log('DEVTOOLS detected '+allow);
}
}
if(window.attachEvent) {
if (document.readyState === "complete" || document.readyState === "interactive") {
detectDevTool();
window.attachEvent('onresize', detectDevTool);
window.attachEvent('onmousemove', detectDevTool);
window.attachEvent('onfocus', detectDevTool);
window.attachEvent('onblur', detectDevTool);
} else {
setTimeout(argument.callee, 0);
}
} else {
window.addEventListener('load', detectDevTool);
window.addEventListener('resize', detectDevTool);
window.addEventListener('mousemove', detectDevTool);
window.addEventListener('focus', detectDevTool);
window.addEventListener('blur', detectDevTool);
}
}();
解决方案11
0 2020-10-02 04:56:33
Yeah, this is a horrible design and you can't disable developer tools.是的,这是一个可怕的设计,你不能禁用开发者工具。 Your client side UI should be sitting on top of a rest api that's designed in such a way that a user can't modify anything that was already valid input anyways.您的客户端 UI 应该位于 rest api 之上,该 api 的设计方式使得用户无论如何都无法修改任何已经是有效输入的内容。
You need server side validation on inputs.您需要对输入进行服务器端验证。 Server side validation doesn't have to be verbose and rich, just complete.服务器端验证不必冗长而丰富,只要完整即可。
So for example, client side you might have a ui to show required fields etc. But server side you can just have one boolean set to true, and set it to false if a field fails validation and then reject the whole request.因此,例如,客户端您可能有一个 ui 来显示必填字段等。但是服务器端您可以将一个布尔值设置为 true,如果字段验证失败,则将其设置为 false,然后拒绝整个请求。
Additionally your client side app should be authenticated.此外,您的客户端应用程序应该经过身份验证。 You can do that 100 thousand ways.你可以用 10 万种方式做到这一点。 But one I like to do is use ADFS passthrough authentication.但我喜欢做的一项是使用 ADFS 直通身份验证。 They log into the site via adfs which generates them a session cookie.他们通过 adfs 登录网站,adfs 会为他们生成会话 cookie。 That session cookie get's passed to the rest api (all on the same domain) and we authenticate requests to the rest api via that session cookie.该会话 cookie 被传递给 rest api(都在同一个域上),我们通过该会话 cookie 验证对 rest api 的请求。 That way, no one that hasn't logged in via the login window can call the rest api.这样一来,没有通过登录窗口登录的任何人都无法调用rest api。 It can only be called form their browser context.它只能从他们的浏览器上下文中调用。
Developer tool wise, you need to design your app in such a way that anything that a user can do in the developer console is just a (feature) or a breaking thing.开发人员工具方面,您需要以这样一种方式设计您的应用程序,即用户在开发人员控制台中可以做的任何事情都只是一个(功能)或破坏性的事情。 Ie say they fill out all the fields with a js snippet, doesn't matter, that's valid input.即说他们用js片段填写所有字段,没关系,这是有效的输入。 Say they override the script and try to send bad data to the api calls.假设他们覆盖脚本并尝试将错误数据发送到 api 调用。 Doesn't matter, your server side validation will reject any bad input.没关系,您的服务器端验证将拒绝任何错误的输入。
So basically, design your app in such a way that developer tool muckery either brakes their experience (as it won't work), or lets them make their lives a little easier, like auto selecting their country every time.因此,基本上,以这样一种方式设计您的应用程序,即开发人员的工具 muckery 要么破坏他们的体验(因为它不起作用),要么让他们的生活变得更轻松,比如每次都自动选择他们的国家。
Additionally, you're not even considering extensions... Extensions can do anything and everything the developer console can do....此外,您甚至没有考虑扩展......扩展可以做任何开发者控制台可以做的事情......
"
解决方案12
0 2020-11-16 14:06:50
You can not block developer tools, but you can try to stop the user to enter them.您不能阻止开发人员工具,但您可以尝试阻止用户进入它们。 You can try to customize a right-click menu and block the keystrokes for developer tools.您可以尝试自定义右键菜单并阻止开发人员工具的击键。
解决方案13
0 2022-09-18 11:25:14
I am just throwing a random Idea maybe this will help.我只是在抛出一个随机的想法,也许这会有所帮助。
If someone tries to open the developer tool just redirect to some other site.
I don't know how much this is gonna effective for you but at least they can't perform something on your site.我不知道这对您有多大效果,但至少他们不能在您的网站上执行某些操作。
解决方案14
-1 2021-02-04 04:05:48
Yes.是的。 No one can control client browser or disable developer tool or debugger tool.没有人可以控制客户端浏览器或禁用开发工具或调试工具。
But you can build desktop application with electron.js where you can launch your website.但是您可以使用 electron.js 构建桌面应用程序,您可以在其中启动您的网站。 Where you can stop debugger or developer tool.您可以在哪里停止调试器或开发人员工具。
Our team snippetbucket.com had build plenty of solution with electron.js, where similar requirement was their.我们的团队 snippetbucket.com 使用 electron.js 构建了大量解决方案,他们的需求类似。 as well restructure and protect website with many tools.以及使用许多工具重组和保护网站。
As well with electron.js many web solution converted and protected in well manner.与 electron.js 一样,许多 Web 解决方案也得到了很好的转换和保护。
解决方案15
-2 2022-01-24 09:06:47
解决方案16
-3 2014-02-25 15:42:36
You can easily disable Developer tools by defining this:您可以通过定义以下内容轻松禁用开发人员工具:
Object.defineProperty(console, '_commandLineAPI', { get : function() { throw 'Nooo!' } })
解决方案17
-7 2014-02-12 16:02:25
Brandon , 布兰登,
You can do something like this , this is a very basic idea, You can override native code by doing this , This not the exact you looking for , you have develop from from this 您可以执行以下操作,这是一个非常基本的想法,您可以执行此操作以覆盖本机代码,这与您要找的不完全相同,您可以从中开发
delete window.console
console.log('test'); // Noting will work
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.