User info as global var on frontend
- What is the best way to prevent the end user from using the web application? managing JavaScript global variables on frontend and other runtime objects?
- What are the best steps I can take to minimize security vulnerabilities and bad user intervention?
- Are they checked by the app or not?
source to share
The best solution for users breaking global variables is to have no global variables. But this is more of a practice than a security thing.
You seem to have a slight misunderstanding about how the client code works. The client code runs on the client. You have no control over the client, your user does . You give my browser code and ask it to run it the way you intend it. The browser has absolutely no obligation to actually run the code as it sees fit.
From a security standpoint, never assume that your client code ever worked the way you intended. Even the suggested Kurt can be trivially overcome with a debugger and developer console.
NEVER rely on user input. NEVER rely on client side validation. NEVER send confidential information about other users to a client . Any information you submit can and will be used against you.
source to share
As far as security vulnerabilities are concerned, the interface is not what concerns you with this. Javascript will not protect you from this .
There is also not much you can do to prevent users from manipulating global variables. They are available right on the console.
I would question why you are cluttering the global namespace with variables.
The best option here would be to create a module template expansion that creates private variables.
var MyFunction = function(){
var _ = {
Init: function(){
},
PrivateVariable: "foo bar"
}
return {
Init: _.Init
}
}();
However, this is more used for encapsulation rather than security benefits. No security on the client side . All of this needs to be handled on the server side.
source to share