1

The web app already implements the JWT and HTTPS, the problem is the json response sent from server (Node js) to the signed token users is visible in client (react js) browser dev tool. Is there any way I could use encryption modules to prevent the sensitive json API responses to be viewed plainly using the browser dev tool ?. Note: I have tried Obfuscation techniques but not convinced.

mdpura
  • 39
  • 2
  • I am thinking the answer has to be "no", since your code that is executing on the browser has to be able to read that response. Since the browser tools are effectively debugging that code, what the code can see, the tool can see... – moilejter Jul 29 '18 at 05:13
  • In theory yes, you can still properly encrypt the token (or its attributes). So where's the problem? (in the dev tools you could see everything on the client side, but if you make it unreadable, no point in hiding it) – gusto2 Jul 31 '18 at 14:13

1 Answers1

2

If the security of your application relies on the client behaving in a particular way (e.g. not displaying API responses directly to the user), then by definition, your application is not secure.

Your API should be secure regardless of who is communicating with it (software written by you versus a third party).

The fact that you need to ask this demonstrates that a fundamental part of your application is poorly designed.

Ask yourself why you need to hide this information from the user, and solve that problem instead.

Luke Joshua Park
  • 9,527
  • 5
  • 27
  • 44
  • its not the security of my application at stake but the api response which is propriety data set thats easily available to be copied at one go through browser tools; the web app is designed in a way to prevent this propriety data set to be copied from the web pages. But the problem here is, logged in users can simple copy-paste the json response and that should be completely prevented, any suggestions to this only please. – mdpura Jul 30 '18 at 07:09
  • 1
    @mdpura If you have information that you don't want your users to see - don't send it to them. It is that simple. Think about this logically - if you implemented a solution that prohibits the use of browser tools (which you can't), what would stop me from manually making an HTTP request to the data set outside of a browser? You are solving this problem the wrong way. – Luke Joshua Park Jul 30 '18 at 07:52
  • what would stop me from manually making an HTTP request to the data set outside of a browser Ans: As stated in question this is specific only to signed token users, there is a API key setup to handle this as well. All i want to know, is there any way to encrypt the response, thats the challenge. your answer seems NO from the extract "..that prohibits the use of browser tools (which you can't)..". Thank you for your time – mdpura Jul 30 '18 at 15:32
  • You can use encryption on the client side, but anyone with enough knowledge about how to read the plain JSON would be able to read your encrypted messages by using whatever method you use on the client to decrypt to either do it manually or inspect with breakpoints. Your JSON API response really should have nothing to do with security, and your JWT is totally separate from your JSON api and serves a different purpose entirely. – LJD Jul 30 '18 at 20:03
  • @mdpura The fact that you use tokens to authenticate your users does nothing to prevent me from writing a custom client for your API. I can execute the same requests that a browser does and retrieve the same responses. Encrypting the response does nothing either - the logic to decrypt must be executed client-side, so I can replicate this too. Your understanding of this issue in general seems to be flawed. It might be a good idea to correct this before you proceed. – Luke Joshua Park Jul 31 '18 at 02:02
  • @JudeDesir I am getting a little clear, So you mean to say that the client side javascript used to decrypt the api response and the hardcoded decryption key in client side is totally hackable. Now this destroys the implementation of encryption implementation. – mdpura Jul 31 '18 at 17:34
  • @LukeJoshuaPark I understand it now. Thanks. The problem in my web app is, there is lot of propriety data-set (to be displayed as rows and columns) being sent over to client as API response. Is there any way, I could prevent users from copying this data-set from json response?. – mdpura Jul 31 '18 at 17:48
  • You should not depend on the information you send through JSON being inaccessible by the end user for the security of the app. It shouldn't matter if the person reads this info all day. I hope this doesn't sound rude, but the guy that answered you the first time basically explained it, and we're mostly reiterating the same thing. :) If you don't want your user to be able to read data sent through JSON you shouldn't be sending it, and you've set up your app wrong. – LJD Jul 31 '18 at 22:14