0

I need to deny public users to see the js frameworks we use in our website.
I have Apache 2.x version with php and js.
First my question is, is it recommendable? I mean, wouldn't denying access to the directory will also block Apache to parse the framework and use it?
Second, how can I achieve it? I have tried with
RedirectMatch 404 /var/www/html/js/.* example.com following this guide: https://alvinalexander.com/web/apache-redirectmatch-examples-wildcard-301
Also I have tried with a .htaccess file in /js directory with just deny from all on it and even a <Directory "/var/www/html/js"> </Directory> with Options -Indexes and deny from all but got no luck. What is the correct way of doing this?

EDIT


This is part of a pentest result that has been done to my server and the auditors are saying the public access to /js directory and frameworks within it is a security problem so, I'm trying to look for a way to deny access or well, find a way to justify the access to this directory
Edgar Sampere
  • 263
  • 4
  • 24
  • If you deny access to the code the site needs to run, why would it work? – Kraylog Dec 21 '17 at 20:02
  • That's why I need to find a way to stop public users to see it whilst keeping the site working – Edgar Sampere Dec 21 '17 at 20:03
  • I have a feeling you're trying to solve a problem you don't have. Also, that's impossible, since the user's browser needs the code to run it. – Kraylog Dec 21 '17 at 20:06
  • Yeah, i feel the same. Let me edit the question to understand better the background – Edgar Sampere Dec 21 '17 at 20:09
  • Who are those `auditors` anyway...what you can do is to store your javascript files in a cdn or something similar... – Hackerman Dec 21 '17 at 20:15
  • Possible duplicate of [Block direct access to js, css file but allow access from index.html?](https://stackoverflow.com/questions/20931658/block-direct-access-to-js-css-file-but-allow-access-from-index-html) – Kraylog Dec 21 '17 at 20:18
  • Your security people seem to have strange notions about how the web works. – Kraylog Dec 21 '17 at 20:20
  • Yeah, I believe the same. Checking the other post. – Edgar Sampere Dec 21 '17 at 21:16
  • The answer is quite simple tough. And it is...you cannot, right? Because js is client-side so the idea is for the public to download and parse the js directory and if that cannot be done, the site would'nt work well... The problem here is explaining, gotta do some long blah blah document – Edgar Sampere Dec 21 '17 at 21:19

1 Answers1

0

The answer is...it cannot be done, as it is a part of how javascript works and it has to be visible in order for the website to work

Edgar Sampere
  • 263
  • 4
  • 24