Is it possible to not allow people view one of my website's JS file?

Demo: .js

If you copy the URl and paste it in the browser, it will say "Unauthorized". But if you put it inside the HTML, it will do it's work.

Can I do that with my code.js file?

Is it possible to not allow people view one of my website's JS file?

Demo: http://js.maxmind./js/geoip.js

If you copy the URl and paste it in the browser, it will say "Unauthorized". But if you put it inside the HTML, it will do it's work.

Can I do that with my code.js file?

• javascript
• html
• security
• http-error

• 7 Nop, JavaScript is always visible in the client. You can minify it, obfuscate it, but still visible. – elclanrs Commented Jan 20, 2014 at 19:49
• 6 This is probably being done by checking the "referer" header. Thing is, once my browser loads your JS, I can view it. This is what the dev tools can do. Also curl --referer http://google. http://js.maxmind./js/geoip.js. – gen_Eric Commented Jan 20, 2014 at 19:50
• 3 PD: Don't break the web. – elclanrs Commented Jan 20, 2014 at 19:50
• 2 You cannot let the browser read a JS file without letting the browser's user read a JS file. Look at the dev tools. – SLaks Commented Jan 20, 2014 at 19:52
• 2 If you're needing to hide, you're probably going about the wrong way to code it. – KingKongFrog Commented Jan 20, 2014 at 19:52

4 Answers 4

JavaScript is an interpreted puter programming language. It's not being piled and it runs on the client's browser/puter, therefore, the client must see the script in order to execute it. That's why you cannot hide the code.

You can define in your server folders as restricted and that means the user can not access them directly, but when the browser loads the page it have to load all the ponents such as images, css files, js files etc... If the browser can load them, it means the user can see them as well.

For example, you can also define that users are not authorized to see any .jpg files but they can easily save any image. Actually the browsers usually saves the images anyway on your local puter and cache them, so next time you load the page, it won't have to download files that weren't changed again.

As others already mentioned, trying to hide a js code is very bad practice and you need to avoid it. If you want the make the life hard for other developers that wants to copy your code you can use this site to obfuscate your js code, but remmeber, it only makes it harder to read by humans, it does not provide you any security.

First, let me explain loud and clear: that is the worst security I can imagine for what it is trying to do. It is just shouting, "HEY NOBODY LOOK AT THIS INSECURE FILE."

Your question has been viewed 41 times so far. That means up to 41 people are wondering what that mysterious does and probably half of them can find easily out. In short, don't do this.

There is no client side security. I refer you to this answer, for instance.

As for how to implement the situation, as noted in ment it's probably done by checking the referrer header. To find out fully check the request headers in the dev tools in your browser and pare to the request headers used by curl (e.g. by using a post bin).

It is not possible to not allow people to view one of your website's JS files.

To be more precise, if someone can execute your JS file, they can view it.

Although you cannot prevent a user from being able to look at your javascript you can make it extremely difficult for them to understand what they are looking at through obfuscation or minification, for the latter there are many services that will do this for you; look at this for example. As for obfuscation I don't know of any way to do it automatically but it would be a similar approach.

If you have information in the javascript that you truly cannot allow a user to see, then I would suggest moving it into the server side code and only pass to the javascript the absolute minimum. As I am not sure what you are using on the server side I cannot give you a specific example; however in the past when using MVC I achieved this by passing the values I needed either to a hidden input ( if the value needed to be posted back with a form) or through jQuery.Data