-6

I've been developing my first AngularJS application for while, and I just realized that anyone could simply get/copy all the information from my JSON files at once. Therefore I ask:

  1. Is is safe to use AngularJS - i.e. should I be worried about
    people copying all the content of my app at once and then simply pasting
    somewhere else?
  2. Is there a way I can make it unreadable for people to read the JSON file? I do know that there are some tools and websites that could make Javascript scripts unreadable, but as I pass it to the view it makes the json unreadable by the browser.

There's a website called Udemy, that uses Angular in part of it. I have tried by all means to see the classes titlebut still I can't find/read the Json file that contains the content. How is such thing possible?

Many thanks.

Rodrigo
  • 101
  • 2
  • 5
  • 2
    Your "json files"? In any case, what the client can see, the client can see. Even obfuscation is hackable. What do you need to hide? – Dave Newton Mar 09 '15 at 21:58
  • This is not an angular issue, all JavaScript frameworks and modern web development are essentially open, you can make things tricky, obfuscation etc. but you cannot implement a trusted platform inside a browser. – Adam Mar 09 '15 at 22:00
  • 1
    Here is another post that talks about JSON hijacking -> http://stackoverflow.com/questions/2669690/why-does-google-prepend-while1-to-their-json-responses – Denis Priebe Mar 09 '15 at 22:00
  • @DaveNewton it's not really that I want to hide, It's that I am creating an app for practicing foreign languages, and I don't want the users to cheat an get the answers. – Rodrigo Mar 09 '15 at 22:08
  • 1
    If your JSON files are stored in a directory with eg, `.htaccess` with `Deny from all` this will already prevent direct browser access. Fetch it with an AJAX call to a PHP (or other server lang) script which returns the JSON data. – Tyblitz Mar 09 '15 at 22:12

4 Answers4

2

You should never send to the user any data that they are not allowed read, independent from the fact whether the data is actually displayed on their screen. I assume that your data comes from a server (which possibly reads it from a DB); even with Angular.js you need to make sure that your server will only send the data that particular user is authorized to see. So the answers to your questions are actually not related to Angular at all, but to the server-side technology you use to feed the data to the angular client running in the user's browser.

Marco Sandrini
  • 658
  • 4
  • 10
0

No, since AngularJS is client-side, anything you send it is available to the client. Therefore:

1) Depends on what you mean by safe. But yes, people can "read" all the content of your app that isn't in the backend.

2) No, not if you're using them in your javascript code.

szupie
  • 806
  • 10
  • 18
  • 7
    The question is hardly a question and this is hardly an answer. – m59 Mar 09 '15 at 21:59
  • Sorry, I just thought I should match the quality of the answer to the post. But thanks for the constructive feedback! I've updated the "answer" to be slightly more informative! – szupie Mar 09 '15 at 22:05
  • @m59 I disagree, the question isn't up to spec indeed, but this answer gives a short but definitive answer. 1 is answered with yes and 2 with no, and some short but conclusive explanation. – Mouser Mar 09 '15 at 22:08
  • 1
    Well, the edit was soon enough to not officially count as a revision, so I can't remove my downvote, but I will later if you make some minor change in a bit. You did miss my point. The question shows hardly any understanding about javascript, thought, or research. There's probably 100 duplicates of this question, and some that are of some quality and have detail (see Beast Mode Joe's comment). Even with the edit, this and all of the other answers are really weak. – m59 Mar 09 '15 at 22:10
  • 1
    @m59 Haha, no worries, I don't care about downvotes; they're just numbers next to the actual content. But thanks for pointing out Beast Mode Joe's comment, I had no idea that there could be a more advanced answer like that. While it might not have been useful to the OP, it's interesting for others with more background stumbling upon this question! – szupie Mar 09 '15 at 23:59
0

There is no safe way to give someone both content and key but prevent them from read them.

And that is what DRM does, actually what you are looking for.

Actully, any content is not considered 'safe' after you sent both content and key to client.

If they have key and content, they of course can find some way to decrypt and read them.

Jerry
  • 818
  • 7
  • 12
0

First off, yes, it's safe to use AngularJs. Angular and any client-side utility should only be concerned with processing the "view logic" of the data it's receiving. That data is the result of the server-side "business logic" which is completely oblivious to the workings of Angular.

I believe you can still answer your security concerns by requiring authentication for your data. Require users to login and allow them to access data via an authentication cookie or similar model. You can get this out of the box (or at the very least learn the process) by using MEANJS (meanjs.org).

All JSON data supplied to your site should be the data you want to be seen. If you're concerned that people can simply use your JSON URLs to aggregate your data on their own servers (assuming they pass the authentication process) then I'm sorry to say there are plenty of tools and savvy developers who can cherry pick that data off any site regardless of whether it's delivered via JSON, HTML, XML, etc.

In order to reliably hide data between client and server you'll need to build your own web application (think app) that uses one or more encryption methods on both ends. Even if you try to build your own client-side encryption/decryption/two-way-handshake for a standard web browser, you'll inevitably expose the business logic nested in the Javascript and defeat the purpose entirely.

Steve Hynding
  • 1,262
  • 1
  • 9
  • 21