Hide urls in htmljavascript file - Stack Overflow

admin管理员组

文章数量:1410674

I am using ajax in my website and in order to use the ajax, I habe to write the name of the file for example:

id = "123";
$.getJSON(jquerygetevent.php?id=" + id, function(json)
{
    //do something
});

how can I protect the url? I dont want people to see it and use it...

I am using ajax in my website and in order to use the ajax, I habe to write the name of the file for example:

id = "123";
$.getJSON(jquerygetevent.php?id=" + id, function(json)
{
    //do something
});

how can I protect the url? I dont want people to see it and use it...

• javascript
• html
• url
• obfuscation
• client-side

Share Improve this question Follow edited Mar 21, 2011 at 23:03 Matthew Flaschen 285k5353 gold badges521521 silver badges552552 bronze badges asked Mar 21, 2011 at 23:01 RonRon 4,0951818 gold badges8282 silver badges131131 bronze badges

Add a ment  | 

5 Answers 5

Sorted by: Reset to default 5

that is a limitation of using client side scripts.
there is no real way to obfuscate it from the user
there are many ways to make it less readable (minify etc) but in the end an end-user can still view the code

Hi Ron and wele to the internet. The internet was (to quote Wikipedia on the subject)

The origins of the Internet reach back to research of the 1960s, missioned by the United States government in collaboration with private mercial interests to build robust, fault-tolerant, and distributed puter networks. The funding of a new U.S. backbone by the National Science Foundation in the 1980s, as well as private funding for other mercial backbones, led to worldwide participation in the development of new networking technologies, and the merger of many networks. The mercialization of what was by the 1990s an international network resulted in its popularization and incorporation into virtually every aspect of modern human life.

Because of these origins, and because of the way that the protocols surrounding HTTP resource identification (like for URLs) there's not really any way to prevent this. Had the internet been developed as a mercial venture initially (think AOL) then they might have been able to get away with preventing the browser from showing the new URL to the user.

So long as people can "view source" they can see the URLs in the page that you're referring them to visit. The best you can do is to obfuscate the links using javascript, but at best that's merely an annoyance. What can be decoded for the user can be decoded for a bot.

Wele to the internet, may your stay be a long one!

I think the underlying issue is why you want to hide the URL. As everyone has noted, there is no way to solve the actual resolved URL. Once it is triggered, FireBug gives you everything you need to know.

However, is the purpose to prevent a user from re-using the URL? Perhaps you can generate one-time, session-relative URLs that can only be used in the given HTTP Session. If you cut/paste this URL to someone else, they would be unable to use it. You could also set it to expire if they tried to Refresh. This is done all the time.

Is the purpose to prevent the user from hacking your URL by providing a different query parameter? Well, you should be handling that on the server side anyways, checking if the user is authorized. Even before activating the link, the user can use a tool like FireBug to edit your client side code as much as they want. I've done this several times to live sites when they're not functioning the way I want :)

UPDATE: A HORRIBLE hack would be to drop an invisible Java Applet on the page. They can also trigger requests and interact with Javascript. Any logic could be included in the Applet code, which would be invisible to the user. This, however, introduces additional browser patibility issues, etc, but can be done. I'm not sure if this would show up in Firebug. A user could still monitor outgoing traffic, but it might be less obvious. It would be better to make your server side more robust.

Why not put some form of security on your php script instead, check a session variable or something like that?

EDIT is response to ment:

I think you've maybe got the cart before the horse somehow. URLs are by nature public addresses for resources. If the resource shouldn't be publicly consumable except in specific instances (i.e. from within your page) then it's a question of defining and implementing security for the resource. In your case, if you only want the resource called once, then why not place a single use access key into the calling page? Then the resource will only be delivered when the page is refreshed. I'm unsure as to why you'd want to do this though, does the resource expose sensitive information? Is it perhaps very heavy on the server to run the script? And if the resource should only be used to render the page once, rather than update it once it's rendered, would it perhaps be better to implement it serverside?

you can protect (hide) anything on client, just encrypt/encode it into plicated format to real human

本文标签： Hide urls in htmljavascript fileStack Overflow