I've been investigating on how to spawn/load/append an element securely.
In my project, there's an administrative panel that should only be loaded in case an admin user logs in (this is present in the main website/page).
From what I've looked around, people say that .php files aren't accessible to the client (except the response, i think), so in terms of authentication, I have no problem.
But, after the AJAX request returns 'true', for example, my .js file will have code in order to append or load the required code. Since Javascript is shown to the client, a malicious user would only have to take a quick look in it to see what he'd have to inject to get access to this panel (I presume it's that easy for an experienced hacker).
How can I hide this information from the client? Is there some kind of encryption I can use or other way to load the element?
P.S: I understand that it might be safer to create an admin page rather than including it in the main website, but keep in mind this is my last resort.
Aucun commentaire:
Enregistrer un commentaire