When releasing the WEB through 'p5', what are the security problems?

When releasing the WEB through ‘p5’, what are the security problems?

  1. For example, there were no security problems when released in ‘JAVA Mode’ of ‘Processing’.
    (When the exe file is released, the source code is transformed. However, in the case of ‘p5’, the source code is shown as it is.)

  2. However, in the case of ‘WEB’, the security is quite weak, and I think there are many ways to solve this part.

  • source code part
  • DDOS attack
  • information hacking, etc.
  1. Therefore, in releasing ‘p5 WEB’,
    How can I increase security stability? If you know of any experience or know-how, please share.
  1. How to apply security algorithm
    [p5.js] Web page source code security issues / How can I do 'p5 Encryption'? - #15 by GWAK

  2. Is there any other way? Or, what else to consider?

If you just want to hide your code, you could ofuscate/minify it. There are many services and pages that help you with ofuscating. You could also see the source code of Google start page to see how it ofuscates the code by embedding all the javacript within a string which is decrypted afterwards.

What I’m not sure is how to deal with sensible information you don’t want to reveal (such as API keys). In the old days of ICQ messenger, I met a webclient that did on-the-fly public key encription and decryption. But I think that’s no longer safe when you have an “inspection tool” at hand in every browser.

EDIT: If you use cryptojs or similar, please make sure the password is not stored as clear text. You could encrypt a preliminary password with window.location (so you make sure the page is running online), add to it some variable you stored lines before, and pass it to an ofuscated function before it is sent to criptojs.decrypt. You could even use the pixels[] array to get part of an image as password.

1 Like

Hi @GWAK

For js use a obfuscator to make it harder to read your code. There are many so google for it.

All security relevant stuff shouldn’t be managed by client side js, so do it server side by ie. RestAPI/services etc.

All provided information should be protected by access/security layer (ie user permission levels/trust levels)

Cheers
— mnse

3 Likes

Btw.

This isn’t necessarily a valid protection… :slight_smile:
… Not to hard to figure out what happens if you familiar with it… :wink:

Cheers
— mnse

2 Likes

@JoseMY, @mnse
Thank you very much. Thank you very much.

Thank you very much for your answers. I found out that there are ways I hadn’t even thought of. I was able to think about security enough.
I have a question. Is there any way to prevent brute force requests like ‘DDOS’? Is it possible within the ‘p5’, not the server computer (not hardware security)?

Hi @GWAK,

usually the p5 is hosted by a web-server, at least if you want to provide it to someone.
The attack you speak about shouldn’t be handled by p5 itself, but rather the webserver you use to provide you p5 stuff. Here you can configure behaviours to prevent DDOS … (ie limit calls, max parallel requests, etc)

Nevertheless, if you want to manage the stuff ie. on your own Linux server you need to think about on low level how the server itself preventing or handle flood requests. There are some strategy you can setup/implement…

Cheers
— mnse

3 Likes

@mnse

Thank you very much for your answers.

[Software prevent case method]

  1. limit calls
  2. parallel requests
  3. etc(…)

Sorry to keep asking questions. Your answer raises a question, so I ask again.

  1. I have hosted ‘p5 WEB’ using ‘Windows IIS Server’.
  2. (Question) Does ‘p5 WEB’ work in Linux server? Or should there be a separate file conversion?

P5 can now be integrated with Node.js, you can explore that option. I believe your best bet will be to study PHP because it is quite easy to learn, I started learning PHP in college, in less than 3 months I can integrate back end and front end and query information on a database.
All the best in your quest.

1 Like

@Chigoz
Thank you for answer.

1 Like