By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
437,986 Members | 1,487 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 437,986 IT Pros & Developers. It's quick & easy.

Protect web content

P: 5
Hi All,

I am a web developer and I am lately becoming fairly security conscious.

So two questions for you and any help appreciated.

1)I have my hesitations about my web code being revealed to everyone through the "view page source" feature of web browsers. Apparently the source review may reveal quite a few hints that affect security. Is there a way to prevent people from seeing this?

2)Being a web developer (especially PHP) I would like to know how I can restrict my programs to run on specific domains only. In this way if someone steals my code he can not deploy it on his server.


Thanks for your help all

peter
Feb 21 '07 #1
Share this Question
Share on Google+
10 Replies


acoder
Expert Mod 15k+
P: 16,027
Hi All,

I am a web developer and I am lately becoming fairly security conscious.

So two questions for you and any help appreciated.

1)I have my hesitations about my web code being revealed to everyone through the "view page source" feature of web browsers. Apparently the source review may reveal quite a few hints that affect security. Is there a way to prevent people from seeing this?

2)Being a web developer (especially PHP) I would like to know how I can restrict my programs to run on specific domains only. In this way if someone steals my code he can not deploy it on his server.


Thanks for your help all

peter
There should be no secure information on the client side at all. If there is, you need to consider changing that. View Source will show all your client-side code and there's not much you can do about it. In any case, this should not really affect you (unless you have secret information which should not be there in the first place!)

If it's PHP, that's server side so as long as your web server, etc. is secure, no one can just take your PHP scripts. Even if you program your PHP to run on specific domains (if you can), that's not good enough if someone does actually get hold of your code because they can easily alter that. As long as you've kept everything fully secure I don't you need to worry too much on that aspect.

Maybe someone else can give you more insight on this.

Hope that helps.
Feb 21 '07 #2

Expert 100+
P: 1,892
Hi All,

I am a web developer and I am lately becoming fairly security conscious.

So two questions for you and any help appreciated.

1)I have my hesitations about my web code being revealed to everyone through the "view page source" feature of web browsers. Apparently the source review may reveal quite a few hints that affect security. Is there a way to prevent people from seeing this?

2)Being a web developer (especially PHP) I would like to know how I can restrict my programs to run on specific domains only. In this way if someone steals my code he can not deploy it on his server.


Thanks for your help all

peter
There isn't a whole lot you can do about the first problem persons are going to be able to view the HTML source no matter what, if you have things you don't want to be seen keep them server side with your php and don't display them. Not sure what your trying to do with question 2 if someone steals your php code then they have it I doubt unless you do some kind of password protecting you will be able to prevent them from opening the file.

Aric
Feb 21 '07 #3

bakum
P: 5
In my experience, in order for people to see your PHP code they need to be on your server, and that means you've got a whole bunch of other problems than people seeing your script! That said, any place where you accept user input is a possible attack vector and the recieved data needs to be sanitized by you the coder accordingly. Forms and URL variables are two such vectors. Read up on SQL Injection attacks and XSS (cross site script) attacks to learn more.

Also, remember all of your HTML and javascript is visible by the user at all times, there is nothign you can do about it. So keep sensitive material elsewhere.

Lastly, consider there are bots that scour the web looking for form fields with names like "credit card number" and "password" and then run automated attacks trying to compromise those scripts. So don't be blatantly stupid.
Feb 21 '07 #4

ronverdonk
Expert 2.5K+
P: 4,258
Hi All,

I am a web developer and I am lately becoming fairly security conscious.

So two questions for you and any help appreciated.

1)I have my hesitations about my web code being revealed to everyone through the "view page source" feature of web browsers. Apparently the source review may reveal quite a few hints that affect security. Is there a way to prevent people from seeing this?

2)Being a web developer (especially PHP) I would like to know how I can restrict my programs to run on specific domains only. In this way if someone steals my code he can not deploy it on his server.


Thanks for your help all

peter
I really do not understand that 2nd question. When someone steals your PHP code case, s/he can of course run it anywhere s/he likes! PHP is interpreter code, hence readable to anyone who gets hold of it. And removing the domain check in that code is the easiest part of it.

If you really want to protect your server-side code, you have to dive into the security items bakum already mentioned, like protecting yourself from SQL injections, XSS attacks, never trusting any input, using strict session management techniques, placing all security related info outside the document root and, utterly, using a dedicated server.

Ronald :cool:
Feb 22 '07 #5

P: 5
made the mistake of posting this question in many forums and now I guess I am obliged to reply to all of them. I am no spammer just concious...

Both questions were answerd by a tool I was informed about which is very powerful. This toll also covers my second question.

Check out a trial page I encoded:

http://www.geogreen.gr/welcome.html

Do "view page source". Can anyone see my source code?
Feb 23 '07 #6

Expert 100+
P: 1,892
made the mistake of posting this question in many forums and now I guess I am obliged to reply to all of them. I am no spammer just concious...

Both questions were answerd by a tool I was informed about which is very powerful. This toll also covers my second question.

Check out a trial page I encoded:

http://www.geogreen.gr/welcome.html

Do "view page source". Can anyone see my source code?
Ok, the bad thing with this is that if the user has JS turned off they will have no access to your source. This must be some important stuff if you're going through all of this.
Feb 23 '07 #7

P: 5
Well I am going through this for specific reasons. The main ones are:

1) bored of SPAM. encoding my page means that spam bots are stopped as tehy can no find my @ sign to abuse it

2) increases security: just read web hacking - attack and defence chapter 7. Talks about source footprinting and the like.

3) link grabbing: no more link grabs and site download

These are just a few of the reasons I am doing this. The tool I found takes care of everything with a click!

As for non javascript users, you know a lot?
Feb 23 '07 #8

Expert 100+
P: 1,892
Well I am going through this for specific reasons. The main ones are:

1) bored of SPAM. encoding my page means that spam bots are stopped as tehy can no find my @ sign to abuse it

2) increases security: just read web hacking - attack and defence chapter 7. Talks about source footprinting and the like.

3) link grabbing: no more link grabs and site download

These are just a few of the reasons I am doing this. The tool I found takes care of everything with a click!

As for non javascript users, you know a lot?
They do exist.
Feb 23 '07 #9

drhowarddrfine
Expert 5K+
P: 7,435
encoding my page means that spam bots are stopped
So is Google, Yahoo, and every other search engine.
Feb 24 '07 #10

Expert 100+
P: 1,892
So is Google, Yahoo, and every other search engine.
I agree Doc, this means your page will not get indexed. This means do not plan on users being able to google for your site. If internal (intranet) you may not have a bad idea as you can control whether they have JS turned on or off. I just really can't believe your content is that secret.

Aric
Feb 25 '07 #11

Post your reply

Sign in to post your reply or Sign up for a free account.