Login ProductsSalesSupportDownloadsAbout |
Home » Technical Support » Elevate Web Builder Technical Support » Support Forums » Elevate Web Builder General » View Thread |
Messages 11 to 20 of 25 total |
Obfuscate JS output |
Wed, Jul 12 2017 8:40 AM | Permanent Link |
Raul Team Elevate | On 7/12/2017 7:25 AM, Big Al wrote:
> Is there any way for EWB to encrypt a string? Sure. How would you prevent one from just stepping thru the debugger in the chrome and seeing what you are doing ? And how would you "hide" the encryption password? Anything embedded in javascript is easy to find and if you send it from server i can just replay that. Raul |
Wed, Jul 12 2017 8:48 AM | Permanent Link |
Raul Team Elevate | On 7/12/2017 5:30 AM, Big Al wrote:
> You're right, so I'm going to have to find a better way to keep my web service secure. > I looked at OAuth a bit, but don't understand enough of it to be able to figure out how to make it work with my web service and ewb. There is nothing wrong using username/password that user has to enter and app then uses during the session. Web service simply has to authenticate every request and not returns anything for unauthenticated users. This and running over TLS is totally adequate for many projects. You can definitely take this further and either create your own session token model or move to something like OAuth2 or OpenID but complexity will increase with these implementations so decide if you really need it first Raul |
Wed, Jul 12 2017 11:10 AM | Permanent Link |
Matthew Jones | Big Al wrote:
> keep my web service secure. Secure from what? -- Matthew Jones |
Wed, Jul 12 2017 2:01 PM | Permanent Link |
Tim Young [Elevate Software] Elevate Software, Inc. timyoung@elevatesoft.com | << Has anyone looked into any way to obfuscate the JS output? >>
As mentioned already, EWB already obfuscates the JS if you turn on compression in the compiler. << I was wondering if any of the obfuscating tools out on the internet work to make it much harder for anyone to understand what the js file is actually doing? >> Don't rely on this to protect anything. A determined hacker/developer can *always* figure out what your application is doing. Even .exes aren't secure if the hacker has direct access to them and can run them, so JS obfuscation is definitely not going to do the job. Again, don't put *anything* related to security in your EWB code (no back-doors or special passwords), but *do* use https and authentication on every web service request to ensure that your web service can protect itself from malicious use/access. EWB will have more to offer in this area once I get the back-end coding/execution layer completed for the EWB Web Server. Tim Young Elevate Software www.elevatesoft.com |
Wed, Jul 12 2017 3:18 PM | Permanent Link |
Big Al | >>Tim Young [Elevate Software] wrote:
>>*do* use https and authentication on every web service request to ensure that your web service can protect itself from >>malicious use/access. I would love to use authentication on every web service request just trying to figure out how to do that reliably and securely. I'll do more research. Big Al |
Wed, Jul 12 2017 3:55 PM | Permanent Link |
Tim Young [Elevate Software] Elevate Software, Inc. timyoung@elevatesoft.com | << I would love to use authentication on every web service request just trying to figure out how to do that reliably and securely. >> Are you using the EWB Web Server or something else ? Tim Young Elevate Software www.elevatesoft.com |
Wed, Jul 12 2017 7:15 PM | Permanent Link |
Big Al | Tim Young [Elevate Software] wrote:
>> >>Are you using the EWB Web Server or something else ? I am using something else at this point, but the most important thing is to get it working so I am open to whatever I need to use. Bif Al |
Wed, Jul 12 2017 7:19 PM | Permanent Link |
Big Al | "Matthew Jones" wrote:
>> Big Al wrote: > keep my web service secure. Secure from what? Matt, didn't mean to ignore your question. My web service is being used to select, update, delete and insert data from my database. I need it to be secure so only my app under app control can update the database. Big Al |
Wed, Jul 12 2017 7:28 PM | Permanent Link |
Raul Team Elevate | On 7/12/2017 3:18 PM, Big Al wrote:
> I would love to use authentication on every web service request just trying to figure out how to do that reliably and securely. At the very basic level : This is driven by both app design and service design. Web service should look for credentials included with every request and only if those are present and can be authenticated return data (and limit data to what that user can see - but that would be up to your db queries etc now) From app side you need to ask user to authenticate whenever they start the app and then you can cache those credentials for the session. Include credentials with every request (either as url params or headers - your web service needs to extract it from same ). If your centralize your web requests into global class then including this is pretty easy (store them globally and every time you execute new request just include). How you decide to implement auth details is really up to you - use username/password every time or startup use username/password and then get a sessionid from service that you can then ise as url param. That's pretty much it Raul |
Wed, Jul 12 2017 8:02 PM | Permanent Link |
Big Al | >>Raul wrote:
>>Web service should look for credentials included with every request and >>only if those are present and can be authenticated return data (and >>limit data to what that user can see - but that would be up to your db >>queries etc now) Totally agree >> From app side you need to ask user to authenticate whenever they start >>the app and then you can cache those credentials for the session. Ok, let's say my app now has the username and password based on what the user entered. >>Include credentials with every request (either as url params or headers >>- your web service needs to extract it from same ). That's the part I'm missing.... If I pass the username/password on the URL, then a person could see it, though they would only see their own since that's the only way I believe they would have a valid username/password. But that exactly url could be saved and used at a later time again?? Maybe there is some way I could stop that from happening. If the URL was used to insert or update data, then running it again would insert or update data. Maybe I'm just not thinking it thru but that seems like that might be an issue. >>If your centralize your web requests into global class then including >>this is pretty easy (store them globally and every time you execute new >>request just include). I don't understand how to do that yet, but I understand what you're saying and will eventually make that happen >>How you decide to implement auth details is really up to you - use >>username/password every time or startup use username/password and then >>get a sessionid from service that you can then ise as url param. If I got a session ID, I don't really have sessioning on the web service side, but could implement something like that without too much trouble. Again, if someone grabs the URL , could they update data later if it's soon so the same session might be active? Thanks for your explanation. I still have questions, but we'll see what can be done.\ Big Al |
« Previous Page | Page 2 of 3 | Next Page » |
Jump to Page: 1 2 3 |
This web page was last updated on Monday, April 29, 2024 at 05:23 AM | Privacy PolicySite Map © 2024 Elevate Software, Inc. All Rights Reserved Questions or comments ? E-mail us at info@elevatesoft.com |