admin管理员组文章数量:1321260
This might sound silly, but as a developer, I'm using the debugger in Chrome every day to test my web applications, but although these tools are valuable for us developers, it might also be used against us by users how wants to mess with our systems.
You probably know that it is fairly easy, using the debugger, to re-enable a button that was previously set to disabled, or change the value of hidden tags or variables. It would then be easy to post a form that is not suppose to be sent, with forged values...
Would it be a way to prevent all debbugging tools to be used when your page is displayed in production environment?
Some sort of meta tags that could be added to the web page, or something else?
I know I could scramble my JS scripts but is there any other ways?
Thanks
This might sound silly, but as a developer, I'm using the debugger in Chrome every day to test my web applications, but although these tools are valuable for us developers, it might also be used against us by users how wants to mess with our systems.
You probably know that it is fairly easy, using the debugger, to re-enable a button that was previously set to disabled, or change the value of hidden tags or variables. It would then be easy to post a form that is not suppose to be sent, with forged values...
Would it be a way to prevent all debbugging tools to be used when your page is displayed in production environment?
Some sort of meta tags that could be added to the web page, or something else?
I know I could scramble my JS scripts but is there any other ways?
Thanks
Share Improve this question asked Jan 2, 2014 at 16:18 fledfled 1611 gold badge5 silver badges13 bronze badges 3- 8 You should not be relying on JavaScript for security or validation. You should always have server side validation ensuring that the data you receive from users is in the format you expect. – John Conde Commented Jan 2, 2014 at 16:19
- ^ +1 that plus you could simply disable javascript entirely and circumvent all that. But as far as I know there's no way to control a users browser like that using javascript – Sterling Archer Commented Jan 2, 2014 at 16:21
- 1 The only way to guarantee on the client side that a user doesn't enable a disabled button is to not provide the button in the first place. (Server-side, you can have session information, including whether that button was set to the client as enabled or disabled.) – Scott Mermelstein Commented Jan 2, 2014 at 16:23
3 Answers
Reset to default 5No, this is not possible. As John Conde said you should use server-side validation to protect against invalid input. Even without a "debugger" as you call them, a user can always GET/POST a request (with bogus data) to your form submission URL.
JavaScript validation is for improving the user experience, not for protecting your data; it runs on the client, so a malicious client can always change it. Anything sent to the server needs to be validated by the server, where the client can't mess with or bypass the validation.
In addition to debuggers, there are tools such as cURL that can be used to send any GET or POST request to your server. As a developer, cURL is pretty handy for letting servers municate with each other (the time I used it, it was because my database was on a different web server than my UI), but it means that your server has to be able to safely handle any request sent to it, even those your JavaScript does not allow.
I have 2 ideas to limit this to 80%.
- Prohibit right clicking
- Use the setInterval function to monitor the change of html tags. If it is changed back to the original value or redirects the website to any other address, for example google..
本文标签: javascriptHow to prevent users to go in debug mode with their browserStack Overflow
版权声明:本文标题:javascript - How to prevent users to go in debug mode with their browser - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1742032093a2416638.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论