We need to protect our HTML5/JS application from been stolen. (We need to protect JavaScript code mainly.)
Chromecast requires application hosted on HTTPS server. But anyone who puts sniffer on the same network with Chromecast can find what URL it loads and load it directly from any browser.
User agent etc. can be easily mimicked if use it to secure application.
What would be the best mechanism to protect proprietary JavaScript code in published Chromecast JavaScript application from been stolen?
Thanks a lot in advance.
Sasha
One common practice is to minify + obfuscate the JavaScript code.
Can generate some URL with a session id in it, and have the URL become invalid after some time. This way if someone intercept the URL using sniffer it will only work for a short period of time.
One other option is have your HTTP server whitelist the client IP adress or mac adress.
You might want to look at how the Spotify chrome app work.
Related
The webpage Template loads data via some json data we get from the endpoint.
I have a Rest Api and a Angular Front end . The Angular app populates the template from the data coming in from the rest api which we can see in the Network Tab of Chrome Developer Tools.
Is there any way we can modify the Rest data in Network tab and see the changes that occurs in the Webpage.
Is that even possible, It might sound a stupid question but i guess this might be a very special tool if there is not much interaction between the Back end and Front end teams.
I am not quite sure if i am able to explain it properly but this was the best i could edit please bear with me thanks
Just a Screen Shot of the type of data in Network tab.
Sample Data Network Tab
It is not possible from chrome's network tab. You have to use BurpSuite for example which is available in Kali linux as a default. With that you can intercept http requests and responses and modify it's payload.
You can get it from here: https://portswigger.net/burp/
No, you're not able to modify XHR data as you can other sources. What I do is just copy the file to my local drive and temporarily modify it's source. I test responses from API's using Postman and it's pretty awesome.
I have to say I'm a little bit afraid for you though. It's not a great idea to be consuming services from external api's from the client side. Are your API keys and passwords hanging out in that client side code somewhere?
Is there a tool to measure native mobile app (can be iOS or Andriod) client side pape to page response times? I found MIHTool (mobile app) that can help us to get HTTP traffic trace like firebug does for Mobile browser based application but not for native mobile app. Would appreciate your suggestions
I am the creator of MIHTool,if you want to measure native mobile app,all you need to do is use fiddler to set up a proxy from you pc,then set your phone's wifi's proxy to you pc's local ip address.
PS: MIHTool helps more then 50K devs right now,I'd love to post it here so more and more devs can make their job ease and help me to make MIHTool better, but I got banned to post as ADs.
I want to integrate with the Chromecast Developer API so I want my chromecast(being shipped) whitelisted but you are supposed to supply 2 URLs. What exactly are these for? I might just be confused about how it works. Thanks.
EDIT:
I found this source to be a good example to demonstrate how to use it. The HTML in the receiver is what you would have the white listed URL pointing to.
A Receiver is a HTML5 application (HTML/JS/CSS3) that runs on the Chromecast device. Your Sender application must send an APP ID to the device, which then looks up the app in a table and loads your page for you. You then use the App ID in your Receiver (on the Chromecast device) to open a connection to your Sender.
We ask you to provide one or two URL's. We expect that you'll want to have a development URL, and eventually a production one. You only need to provide one.
From the Chromecast Device Whitelist Request Form
Please provide at least one receiver URL, we will provide an
Application ID for each of them, 2 max (typically, you'll list a
production URL and a testing URL)
We are currently working on a web client that communicates with the server using AJAX with JSON. The client is based on gwt, and communication is over https.
The communication can be easily inspected by browser tools - is there some reasonable approach to hide this from the user, i.e. securing the protocol?
Other than standard authentication and encryption techniques used by all browsers, whatever method you come up with, it must be initiated by your JavaScript client. This means that a good hacker can deconstruct your JavaScript and figure out how you submit data.
Security usually deals with either third parties trying to intercept communication or pose as legitimate users, or malicious users trying to get access to where they are not supposed to. Once you verified that a user is legitimate, why would you try to hide user's data from the user? Maybe you can describe your use case.
EDIT:
The only way to prevent bots is to ask a question that only a human can answer (e.g. Captcha) somewhere in the workflow (i.e. before submitting important data). It's usually annoying for users, but there is no other way. Since you build a gaming platform, ask your designer to come up with some fun verification.
Just to Round off Security Checklist
1) HTTPS - you have got it set up already :)
2) Json and XSS/XSRF Web Security -
https://developers.google.com/web-toolkit/articles/security_for_gwt_applications#json-xsrf
https://developers.google.com/web-toolkit/articles/security_for_gwt_applications#json
3) BOT attacks - A decent captcha - Captcha in GWT Widget
4) Miscellaneous - https://groups.google.com/forum/?fromgroups=#!topic/google-web-toolkit/_gViO5aZ-WQ
I'm using the MVC helper WebMail to send emails. However the speed of it seems to be of concern. Especially when I have to send more than 1 email at the same time. I tried using a thread, but that didn't work since the Webmail object was null. How do I speed this up? Any ideas appreciated.
Forgot to mention, this is during testing and I'm using localhost and gmail! Not sure if that is causing the issue.
Thank you
If you want performance, don't use the WebMail helper. Use the classes in the System.Net namespace.
This allows you to open a new thread and send the email out-of-band from the web request.
We use Google Apps mail (gmail) in the cloud, opening a new thread, and sending the email from there, using the System.Net types (not WebMail). It works pretty well, as we can respond to the user without having to wait for the email to be sent.
Be careful about using Google Apps / gmail though, especially in development. We had one of our accounts disabled by google because of this. During development, you should use your local ISP, or better yet, use SpecifiedPickupDirectory, as it works better when unit testing email receipt.