Is there a way to hide files that are being served by the Node server? I have tried to reroute certain files and directories, but nothing is working in Express 4.X. I have also tried to send 4XX HTTP responses when certain files are requested, but this only works for directory paths. No matter what I do, if there is a file that is being served by Node, then the user is going to be able to see the source code. Is this just how Express works? Is it meant to be a development framework over a production framework?
Right now I am trying to send bad responses.
full server.js
var path = require('path'),
express = require('express'),
var app = express();
app.use('/', express.static(__dirname));
app.use('/', express.static('dist'));
// not working
app.get('/client/config/app.js', function(req, res) {
res.sendStatus(400);
});
app.listen(3001, function() {
console.log('listening');
});
I am able to send a response if I specify a directory path, but not if I specify a full file path. This works:
app.get('/client/config/', function(req, res) {
res.sendStatus(400);
});
And this doesn't:
app.get('/client/config/app.js', function(req, res) {
res.sendStatus(400);
});
I've also tried routing with app.use. That didn't work either.
The best thing I can do right now to "hide" the source code is to uglify it with Gulp, but I imagine it's easy to unravel it with a JS prettifier.
Is there a way to hide files that are being served by the Node server? I have tried to reroute certain files and directories, but nothing is working in Express 4.X. I have also tried to send 4XX HTTP responses when certain files are requested, but this only works for directory paths. No matter what I do, if there is a file that is being served by Node, then the user is going to be able to see the source code. Is this just how Express works? Is it meant to be a development framework over a production framework?
Right now I am trying to send bad responses.
full server.js
var path = require('path'),
express = require('express'),
var app = express();
app.use('/', express.static(__dirname));
app.use('/', express.static('dist'));
// not working
app.get('/client/config/app.js', function(req, res) {
res.sendStatus(400);
});
app.listen(3001, function() {
console.log('listening');
});
I am able to send a response if I specify a directory path, but not if I specify a full file path. This works:
app.get('/client/config/', function(req, res) {
res.sendStatus(400);
});
And this doesn't:
app.get('/client/config/app.js', function(req, res) {
res.sendStatus(400);
});
I've also tried routing with app.use. That didn't work either.
The best thing I can do right now to "hide" the source code is to uglify it with Gulp, but I imagine it's easy to unravel it with a JS prettifier.
Share Improve this question edited Dec 17, 2015 at 16:20 Sudo asked Dec 17, 2015 at 16:17 SudoSudo 491 silver badge8 bronze badges 7- 1 Uhm, so the issue is that the user can view the source of any file served by Node? If so, that's how it works, regardless of what serverside language you are using, it's how the web in general works. Anything sent to the client, can be read by the client ? – adeneo Commented Dec 17, 2015 at 16:19
- For files that shouldn't be visible to the client at all, you just stick them in a folder that isn't part of your public folder ? – adeneo Commented Dec 17, 2015 at 16:21
- Hmmm... is there a way to restrict access? What if I don't want the user to see my JavaScript source code? Is that impossible to achieve? – Sudo Commented Dec 17, 2015 at 16:22
- That depends, the user shouldn't see your serverside code at all, but the javascript that is supposed to run in the browser can't be hidden. – adeneo Commented Dec 17, 2015 at 16:23
- Possible duplicate of Restricting access to static files in ExpressJS – jkris Commented Dec 17, 2015 at 16:23
1 Answer
Reset to default 10one line culprit
app.use('/', express.static(__dirname));
That line is saying its ok to pull anything. You could replace it with:
app.use('/', express.static(__dirname + '/public'));
Then put stuff in the public directory you want viewed. For routes you want to have as priority, place them before the other declarations. So you would place:
app.get('/client/config/app.js', function(req, res) {
res.sendStatus(400);
});
above all else. However, seems like you may not need it if you just fix the first problem, then you are good. Also, see HTTP status codes. You would probably want 404 or 403 for that type of file.
http://www.w3/Protocols/rfc2616/rfc2616-sec10.html