I have this project (C# ASP.NET Web Forms & Web Services) in which I am loading & binding search results using jquery ajax. It is working fine and it's very fast.
But the only security-related problem that I am worried about is that the ajax javascript code is visible to all users in the dev tools.
function loadEventNotification(refEventID, sequence, listActiveType, filterType) {
try {
var param = 'RefEventId : ' + JSON.stringify(refEventID) + ' , Sequence : ' + JSON.stringify(sequence) + ' , ListActiveType : ' + JSON.stringify(listActiveType) + ' , FilterType : ' + JSON.stringify(filterType);
var notifID = 0;
$.ajax({
type: "POST",
url: "../Services/CMEventDataService.asmx" + "/" + "CM_LoadEventNotificationWS",
data: "{" + param + "}",
contentType: "application/json; charset=utf-8",
dataType: "json",
success: function (response) {
var total = 0;
if (response.d == 'NOAUTH') {
message = 'Error : Your are not authorised to access this service';
}
else if (response.d == 'ERROR') {
message = 'Error : Unable to find records';
}
else if (response.d != '') {
var list = eval(response.d.replace(/\\/g, "\\\\"));
total = list.length;
var notif = '';
$.each(list, function (k, v) {
});
$(document).find('#cdsn-items').html(notif);
}
else {
message = 'No matching records found';
}
},
error: function (response) {
message = 'Error : Unable to load records';
},
timeout: 120000
});
} catch (err) {
console.log(err.message);
}
}
Can I in anyway hide this code from the users?
Once somebody is able to see the js ajax code then they will pick up the URL of the Web Service. I have made sure that the web service cannot be called from other domains (NOAUTH error)
But still, the code is exposed in dev tools
Any suggestions? Highly Appreciated
What I have tried:
I tried finding ways of calling a server-side code but so far no help
Submit an article or tip