473,320 Members | 1,950 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

Protect web content

Hi All,

I am a web developer and I am lately becoming fairly security conscious.

So two questions for you and any help appreciated.

1)I have my hesitations about my web code being revealed to everyone through the "view page source" feature of web browsers. Apparently the source review may reveal quite a few hints that affect security. Is there a way to prevent people from seeing this?

2)Being a web developer (especially PHP) I would like to know how I can restrict my programs to run on specific domains only. In this way if someone steals my code he can not deploy it on his server.


Thanks for your help all

peter
Feb 21 '07 #1
10 2294
acoder
16,027 Expert Mod 8TB
Hi All,

I am a web developer and I am lately becoming fairly security conscious.

So two questions for you and any help appreciated.

1)I have my hesitations about my web code being revealed to everyone through the "view page source" feature of web browsers. Apparently the source review may reveal quite a few hints that affect security. Is there a way to prevent people from seeing this?

2)Being a web developer (especially PHP) I would like to know how I can restrict my programs to run on specific domains only. In this way if someone steals my code he can not deploy it on his server.


Thanks for your help all

peter
There should be no secure information on the client side at all. If there is, you need to consider changing that. View Source will show all your client-side code and there's not much you can do about it. In any case, this should not really affect you (unless you have secret information which should not be there in the first place!)

If it's PHP, that's server side so as long as your web server, etc. is secure, no one can just take your PHP scripts. Even if you program your PHP to run on specific domains (if you can), that's not good enough if someone does actually get hold of your code because they can easily alter that. As long as you've kept everything fully secure I don't you need to worry too much on that aspect.

Maybe someone else can give you more insight on this.

Hope that helps.
Feb 21 '07 #2
AricC
1,892 Expert 1GB
Hi All,

I am a web developer and I am lately becoming fairly security conscious.

So two questions for you and any help appreciated.

1)I have my hesitations about my web code being revealed to everyone through the "view page source" feature of web browsers. Apparently the source review may reveal quite a few hints that affect security. Is there a way to prevent people from seeing this?

2)Being a web developer (especially PHP) I would like to know how I can restrict my programs to run on specific domains only. In this way if someone steals my code he can not deploy it on his server.


Thanks for your help all

peter
There isn't a whole lot you can do about the first problem persons are going to be able to view the HTML source no matter what, if you have things you don't want to be seen keep them server side with your php and don't display them. Not sure what your trying to do with question 2 if someone steals your php code then they have it I doubt unless you do some kind of password protecting you will be able to prevent them from opening the file.

Aric
Feb 21 '07 #3
bakum
5
In my experience, in order for people to see your PHP code they need to be on your server, and that means you've got a whole bunch of other problems than people seeing your script! That said, any place where you accept user input is a possible attack vector and the recieved data needs to be sanitized by you the coder accordingly. Forms and URL variables are two such vectors. Read up on SQL Injection attacks and XSS (cross site script) attacks to learn more.

Also, remember all of your HTML and javascript is visible by the user at all times, there is nothign you can do about it. So keep sensitive material elsewhere.

Lastly, consider there are bots that scour the web looking for form fields with names like "credit card number" and "password" and then run automated attacks trying to compromise those scripts. So don't be blatantly stupid.
Feb 21 '07 #4
ronverdonk
4,258 Expert 4TB
Hi All,

I am a web developer and I am lately becoming fairly security conscious.

So two questions for you and any help appreciated.

1)I have my hesitations about my web code being revealed to everyone through the "view page source" feature of web browsers. Apparently the source review may reveal quite a few hints that affect security. Is there a way to prevent people from seeing this?

2)Being a web developer (especially PHP) I would like to know how I can restrict my programs to run on specific domains only. In this way if someone steals my code he can not deploy it on his server.


Thanks for your help all

peter
I really do not understand that 2nd question. When someone steals your PHP code case, s/he can of course run it anywhere s/he likes! PHP is interpreter code, hence readable to anyone who gets hold of it. And removing the domain check in that code is the easiest part of it.

If you really want to protect your server-side code, you have to dive into the security items bakum already mentioned, like protecting yourself from SQL injections, XSS attacks, never trusting any input, using strict session management techniques, placing all security related info outside the document root and, utterly, using a dedicated server.

Ronald :cool:
Feb 22 '07 #5
made the mistake of posting this question in many forums and now I guess I am obliged to reply to all of them. I am no spammer just concious...

Both questions were answerd by a tool I was informed about which is very powerful. This toll also covers my second question.

Check out a trial page I encoded:

http://www.geogreen.gr/welcome.html

Do "view page source". Can anyone see my source code?
Feb 23 '07 #6
AricC
1,892 Expert 1GB
made the mistake of posting this question in many forums and now I guess I am obliged to reply to all of them. I am no spammer just concious...

Both questions were answerd by a tool I was informed about which is very powerful. This toll also covers my second question.

Check out a trial page I encoded:

http://www.geogreen.gr/welcome.html

Do "view page source". Can anyone see my source code?
Ok, the bad thing with this is that if the user has JS turned off they will have no access to your source. This must be some important stuff if you're going through all of this.
Feb 23 '07 #7
Well I am going through this for specific reasons. The main ones are:

1) bored of SPAM. encoding my page means that spam bots are stopped as tehy can no find my @ sign to abuse it

2) increases security: just read web hacking - attack and defence chapter 7. Talks about source footprinting and the like.

3) link grabbing: no more link grabs and site download

These are just a few of the reasons I am doing this. The tool I found takes care of everything with a click!

As for non javascript users, you know a lot?
Feb 23 '07 #8
AricC
1,892 Expert 1GB
Well I am going through this for specific reasons. The main ones are:

1) bored of SPAM. encoding my page means that spam bots are stopped as tehy can no find my @ sign to abuse it

2) increases security: just read web hacking - attack and defence chapter 7. Talks about source footprinting and the like.

3) link grabbing: no more link grabs and site download

These are just a few of the reasons I am doing this. The tool I found takes care of everything with a click!

As for non javascript users, you know a lot?
They do exist.
Feb 23 '07 #9
drhowarddrfine
7,435 Expert 4TB
encoding my page means that spam bots are stopped
So is Google, Yahoo, and every other search engine.
Feb 24 '07 #10
AricC
1,892 Expert 1GB
So is Google, Yahoo, and every other search engine.
I agree Doc, this means your page will not get indexed. This means do not plan on users being able to google for your site. If internal (intranet) you may not have a bad idea as you can control whether they have JS turned on or off. I just really can't believe your content is that secret.

Aric
Feb 25 '07 #11

Sign in to post your reply or Sign up for a free account.

Similar topics

5
by: Brian Madden | last post by:
Hello All, I have what I thought would be a simple problem although I've been searching for a few hours with no luck. I have several PDF and MPG files I would like to provide to users to...
1
by: McKirahan | last post by:
What is "active content"? My ASP page just returns HTML.... I have a page with an .htm extension that has a form whose action is an ASP page which generates a report after updating a database...
11
by: siliconmike | last post by:
Is there a way to protect data files from access by root ? I have a data-centered website and would like to protect data piracy from any foot-loose hosting company employee. Any ideas? ...
3
by: Narlen | last post by:
Hi there, I don't know much about web design but I proudly managed to password protect a page on my site. Later I realized that everyone looking at the source in any web browser can see the...
5
by: Garry Jones | last post by:
I need to create a page with a password where I show photos. How do I stop people from accessing the jpgs directly without going through the password function. I am using Windows XP and have a...
0
by: Bank of America | last post by:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta...
8
by: FAQ server | last post by:
----------------------------------------------------------------------- FAQ Topic - How can I protect a webpage in javascript?...
22
by: teejayem | last post by:
Hi, I am new to programming with databases and was wanting some help. Is there any way to password protect an access database and access sent sql commands to it via vb.net code? Any help...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
0
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.