Reputation: 130
Allowing only certain servers/websites connect to script
I have a JavaScript script, which I want to sell to my clients. The problem is there are no on site changes required for the script to work so they can simply link to the script and get the benefits - it's an auto tagging and conversion setup type script for Analytics which has had a lot of work go into it.
Is there a way to only allow the websites see the script? So if a human went there it would be 403. I tried using htaccess and allowing access from the server IP, which of course didn't work...
Upvotes: 0
Views: 276
Answers (2)
Reputation: 6572
You mean to differenciate if the code is requested by a page it is embedded in or outside of it, right?
The only setting you may can rely on is the http-header "Referer". This way you can also limit your script to only be included in documents on the domain www.example1.com, but not on www.example2.com.
Here's a request for the GoogleAnalytics script on this page:
GET /ga.js HTTP/1.1
Host: www.google-analytics.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://stackoverflow.com/questions/16687926/allowing-only-certain-servers-websites-connect-to-script
Connection: keep-alive
But if someone knows how your "security-check" works, he can easily view the js-code via Firebug or another developer-tool, or just create the request using another tool. So, this is not secure at all, but does, if at all, just prevent some people, who just tried to get the script within 2sec. Everyone trying harder will get to it.
What you can do as well, is to do some Obfuscation ... make the code as hard to read as possible :) Here's a link to another question where they talk about malware using this technique to hide what it's really doing: https://superuser.com/questions/418121/what-is-javascript-obfuscation-and-why-is-it-a-threat
Upvotes: 1
Reputation: 29
Is it possible you could host the script? If so you can issue an access/API key to clients and serve this via a key authentication check from a simple web app.
Otherwise you could share a secret with the client and incorporate a key check into the script. I've written a gist demonstrating javascript bitwise encoding, the 'salt' argument should be your shared secret. You should also compress/obfuscate the script.
It's worth mentioning that the latter suggestion isn't totally secure, it's a trade-off on how much a single copy of the script is worth to you and what the effort to secure it will cost you.
Upvotes: 0
Related Questions
- Only allow certain IP's to access website, EXCEPT a specific URL (open to any IP)
- Restrict a website by IP
- PHP restrict page requests to a specific server?
- Only allowing certain websites access PHP API
- how to limit webpage access to 1 user per ip?
- Limiting webpage content access by IP address
- Allow only certain websites to access a PHP page
- HTACCESS - restrict access to several domains / scripts
- .htaccess Allow only from a certain script (not by IP)
- Limit Javascript script Internet access