Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Secure data in JavaScript

Tags:

javascript

html

security

I have to create generator for web tests (using HTML and JavaScript). Test has to work offline and online.

Correct answers and score evaluation must be a part of a generated test. The final user's score is then only sent to the server (evaluation cannot be done on the server and server knows nothing about questions - it only saves the final score).

Is there any way to have the correct answers as a part of the test and do not allow user easily find them using Firebug?

like image 824
Pavel Hodek Avatar asked Nov 18 '25 05:11

Pavel Hodek

2 Answers

theres no realy good solution to your problem. the only thing you can do is minifying or encrypting your javascript to make it hard to read and use weird variable-names.

you can't ever hide it completely because the browser itself has to interpret it and that way a human can always decrypt and manipulate it (using firebug like you said, for example).

the best way would be to rebuild the whole thing to not rely on secure data in client-side code - i know you said it's not possible, but i'm sure it is. maybe it's complicated, but the only really secure way.

EDIT:
i forgot you said it has to work offline - in that case i agree that client-side code is the way to go... as said, your only way is encryption/minification then and hoping no one is motivated enough to work through that ugly code.

like image 100
oezi Avatar answered Nov 19 '25 19:11

oezi

I think you can take a look at this JavaScript encryption utility

AMAIK, when you send any data to the client, the data is there and could be seen. If it's obfuscated, it can be easily tempered with. If it's encoded, it can be decoded. However, if it's encrypted, then for decryption process, you need the appropriate key. Now, if you've used symmetric encryption, then the key is on your server, which means that you still need the server to exist in your design, which is against your requirements:

Tests has to work offline

If you use asymmetric encryption then you send the public key alongside your sent message. This means that the key is there, at client-side, ready to be used for decrypting data.

Thus, as much as you only want to work on the client only, there seems to be no rigid way for that.

like image 29
Saeed Neamati Avatar answered Nov 19 '25 19:11

Saeed Neamati
Sign in to Comment

Related questions

When using Requirejs, is it possible to have the optimizer automatically find all the dependencies?
Javascript - Passing function as string, then execute if it exists
Best way to encode/decode large quantities of data for a JavaScript client?
How can I build a virtual object cache?
Whats the most idiomatic way to declare a list of local javascript variables?
Detect users position on web page

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!