Home » Php » php – How can I block direct access to my JavaScript files?

php – How can I block direct access to my JavaScript files?

Posted by: admin July 12, 2020 Leave a comment

Questions:

I use Minify to minify and cache all my script requests. I only want my users to be able to access the minified versions of the JavaScript files.

Minify lies at www.example.com/min and my scripts are at www.example.com/scripts. How can I block direct access to doc_root/scripts which is where my unminified JavaScript files lie. I’d rather not put them out of the document root but it’s an option.

Please note that I’m using Zend Framework, so the actual root of my application is shifted to www.example.com/public. An htaccess file handles the rewrite.

How to&Answers:

Can’t you just use an .htaccess file inside doc_root/scripts to prevent all access over the web to .js files over HTTP?

It won’t stop minify, since that provides indirect access.

So in doc_root/scripts/.htaccess, something along the lines of

<Files ~ "\.js$">
    order allow,deny
    deny from all
</Files>

Note that the location of the .htaccess file matters in this case.

Answer:

You effectively can’t block end-user facing code. Even if you served it with PHP or another server-side language and blocked direct requests, it’s of course still possible to read it directly with a number of tools.

You should code with this in mind and be mindful with javascript comments, business knowledge, etc.

UPDATE:

However, if you’re talking about code that doesn’t ever need to be accessed by an end-user, you could as you mentioned move it out of the server root, or you can block the files in your directory (or an entire directory). It’s easy with Apache’s .htaccess.

order deny, allow
deny from all

You could also redirect the source files to the minified versions with mod_rewrite in your .htaccess file.

RewriteEngine On
RewriteRule /scripts/(.*)$ /min/$1 [L,NC]

Answer:

Depends on the server you’re using. Assuming it’s Apache, you can add this to your .htaccess file:

<Directory ~ "\scripts">
Order allow,deny
Deny from all
</Directory>

Or something to that effect..

Answer:

The only way is to check referers, and not everyone sends them, or sends a real one. In other words, you can’t block direct access to anyone who really wants something. It’s impossible to determine with 100% accuracy if a request is a direct one or is being done via a <script src=....> type request.

Answer:

For your Javascript to actually run the user’s browser must be able to read it ultimately.
As such there’s no real way to “block” access to your scripts folder (well to be precise you can but that would break your website since the browser would not see the files in order to run them.)

One solution could be obfuscation, which makes the javascript code harder to read / understand but ultimately the user will see the code, and with a bit of persevering reverse engineering it can be de-obfuscated.

Another thing i’ve seen someone do is creating an “empty” js.html page, and insert all their javascript into script tags in the page (embedded, not external), and from his main page make ann ajax request to js.html and embed it at the bottom of the page. kind of a round about way but the user will not see the js when viewing the source unless using developper tools such as firebug.

Note that the last option also might cause some delay depending on the abount of code you are loading. but here the key is not blocking access to your scripts, but just making them harder to obtain / read / copy.

Edit: oops, misread as well. I think the best solution in this case would be to go with an htaccess file in your scripts folder denying all access

Answer:

This answer is little bit newer, than question (only several years, that’s nothing)

You cannot deny access to JavaScript file, because they wont’t be accessible from <script> tag.

But I found a workaround:


RewriteEngine On

RewriteRule ^.*\.js$ /invalid.html [R=301,L]

Place it in your .htaccess file in your home folder of web. (under htdocs or public_html).
This will automatically redirect everyone from it. So they don’t see it.