user1709076 user1709076 - 7 days ago 4
HTML Question

nodejs: allow client to use scripts but hide scripts from end-users

I have functions in my static HTML website on NodeJS in a 'functions' directory. These functions hit end-points like 'login' and get '/user' info with XMLHTTPRequest.

I dont like the idea of exposing my end-points to end-users. Is it possible to put my 'functions' directory outside of my static html directory, like:

HTML
index.html
FUNCTIONS
my_func.js


yet access my FUNCTIONS from index.html in HTML like:

<script type="text/javascript" src="../FUNCTIONS/my_func.js"></script>


I already know this is not possible because I tried this and I just get a 404 for: www.mywebsite.com/functions/my_func.js

But really that is not the URL, because there is no URL, because I'm not wanting to host my 'functions' directory in a publicly accessible URL.

I tried this: How do I prevent Node.js / Express serving up my application's source code?

to create a 'route' so that if 'functions' is seen in my path like:

<script type="text/javascript" src="../functions/my_func.js"></script>


It is supposed to redirect to a directory outside of the publicly hosted HTML on nodejs, but it didnt work

I also did at the NGINX level: http://serverfault.com/questions/310124/nginx-redirect-url-containing-php

if ($request_uri ~ .*.functions.*)
{
return 410;
}


Which does prevent the js in the functions directory from being seen (when I put FUNCTIONS directory inside the HTML directory). However, this also prevents index.html from being able to load the js functions as well.

rsp rsp
Answer

The answer to your questions is: No, it's not possible.

If you host your "functions" script outside of your static directory then no one will be able to access it. If you put it somewhere when it can be accesses, then users will also be able to read it.

There is no way around it. Any code that is run by the client is possible to be read by the client. Even binary files can be disassembled so it's not only true with languages like JavaScript but also with compiled languages.

Even if people couldn't see the code itself, they would always be able to see the network traffic in their browser's developer tools where they can see all of the endpoints, parameters and data sent and received.

What you can do, though, is make sure that everyone can only do what you want them to do with those endpoints. So your endpoints should always check who is doing a request by using e.g. an authentication token and enforcing the rules of who can do what. That way people will be able to access your endpoints, but they will be able to do only the things that they can do with your frontend anyway.