Is it possible for a user to modify site javascript in browser?
Question
I don't know a lot about security, but I'm trying to figure out how to keep my site as safe as possible. I understand that as much stuff that I can handle on the backend the better, but for instances where I'd like to hold some variables on the client, is that stuff utterly unchangeable?
For instance, if I set a global variable to the user's role (this is a pure AJAX web app so a global variable is always available), is it possible by any software to edit javascript within the browser so that a user might change their role?
3 answers
solution1
1 ACCPTED 2015-06-18 02:09:11
Security is a big topic in the web development world and it is important for you to determine how secure your web application should be.
There are 3 parts for you to notice
- Frontend (the website)
everything here is insecure, whatever shown on you in the browser could be changed or modified. Just go to the debug console and you could change the variable and rerender the html page again
- Transportation level (https)
web communication is based on the http(s) protocol that allows you to communicate between your server and client. Using
httpswill prevent you from man in the middle attack
- Backend
always make sure to authenticate and check the data sent from your client (POST, PUT, DELETE)
Prevention
The good thing is even you change the variable of the client side, it only appears on that client session and doesn't effect any others. There are few ways you could increase your security in your frontend
- Obfuscate
this means make your source code harder to read. You could try to use tool like minification, and concatatenata your source code.
- Data
Never ever store user sensitive data (password, user info) in the client side, since people could just change and see it
This should get you learning more about security
solution2
0 2015-06-18 01:56:57
使用开发人员工具,如果您在带有断点的调试模式下运行,则可以更改变量的值。
solution3
0 2015-06-18 13:23:06
All data that goes to the client can be viewed and tampered. There are alot of ways to do that (Developer Tools, HTTP Proxy, ...).
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.