While working on frontend security projects, I encountered security - here's what I learned.

Have questions? Feel free to ask in the comments section below.

正文

### your communities. ### more stack exchange communities. Communities for your favorite technologies. Stack Overflow for Teams is now called **Stack Internal**. ##### Collectives™ on Stack Overflow. Is there value in scanning front-end JavaScript code for vulnerabilities with a SAST tool? My point here is: even the most secure code can be easily changed from the client, if the client wants to make your front-end upside down, they can. And everything accessible from the front-end, the client its

In modern web development, security has become increasingly important. Developers need to understand the security implications and best practices.

When implementing security, there are several key considerations. First, performance optimization is crucial. Second, security must be addressed at every layer.

Many developers overlook the importance of proper error handling and debugging techniques.

The ecosystem around security continues to evolve rapidly. New libraries and frameworks emerge regularly.

Testing is another critical aspect that shouldn't be neglected.

More Details

There are a few more points worth noting. First, browser compatibility varies across different browsers. Second, performance optimization is crucial when handling large amounts of data. Finally, key management is also an important consideration.

If you found this useful, please like and share! Follow for more content on this topic.

Reference: security - Should we check front-end JavaScript code for vulnerabilities? - Stack Overflow

I've had several readers ask me about Obfuscate recently, so I decided to write a comprehensive article about it.

Have questions? Feel free to ask in the comments section below.

正文

I am very curious how effective obfuscation would be in a WASM binary, for example could it be possible to create a client side Auth system (yeah I know it's triggering), but can you realistically decompile, have you done it, I guess I'm saying is WASM a place to hide?

Templates let you quickly answer FAQs or store snippets for re-use.

Just use cloudflare worker you have 100K requests free per month and it enables you to process data within JavaScript code... I used it to bypass the need to hide a key into the DeepAI.org services within

How’s it going, I'm a Adam, a Full-Stack Engineer, actively searching for work. I'm all about JavaScript. And Frontend but don't let that fool you - I've also got some serious Backend skills.

11 plus years* active enterprise development experience and a Fine art degree 🎨

What the heck is this it sounds like it's worth a read about 😁

Yeah the author may want to hide API keys in the client side, but that is technically not recommended, instead and I mislead the numbers, you can bypass CORS+ HIDE API KEYS in workers on CLOUDFLARES&CO with 100K request a day

How’s it going, I'm a Adam, a Full-Stack Engineer, actively searching for work. I'm all about JavaScript. And Frontend but don't let that fool you - I've also got some serious Backend skills.

11 plus years* active enterprise development experience and a Fine art degree 🎨

How’s it going, I'm a Adam, a Full-Stack Engineer, actively searching for work. I'm all about JavaScript. And Frontend but don't let that fool you - I've also got some serious Backend skills.

11 plus years* active enterprise development experience and a Fine art degree 🎨

Both awesome Ben's I agree with you both. It's just I had this idea yesterday, because of what I do, working with IAM and also UI, I wondered if the next identity access management software could run at the (trendy word alert) 'edge' client but I think we all know that's a terrifying idea 💡, but I do want to know, is it possible to securely do this. I was thinking about WASM as a sort of container I guess.

These days I do more software architecture and whatnot, and promote UX and accessibility.

Anything obfuscated can be de-obfuscated, so it's not providing any security, but it

making the web - which is supposed to be open and readable - into a worse place.

More Details

There are a few more points worth noting. First, browser compatibility varies across different browsers. Second, performance optimization is crucial when handling large amounts of data. Finally, key management is also an important consideration.

This article was first published on JSVMP Blog. Reposting with attribution is welcome.

Reference: Obfuscate client side with WASM - DEV Community

关于Javascript，网上资料比较零散，这里做个相对完整的总结。

Found this helpful? Share it with your team and leave a comment below!

正文

很久以前，我曾经写过6502汇编代码。我喜欢它......如何将JavaScript文件包含在另一个JavaScript文件中？

在现代Web开发中，Javascript变得越来越重要。开发者需要了解相关的安全 implications 和最佳实践。

实现Javascript时，有几个关键考虑因素。首先是性能优化——复杂的计算可能会阻塞主线程，影响用户体验。其次是安全性，必须在应用的每一层都考虑到。

许多开发者忽视了适当的错误处理和调试技术的重要性。浏览器开发者工具、日志框架和监控服务可以显著改善开发流程。

Javascript相关的生态系统发展迅速。新库和新框架 regularly 出现，每个都有各自解决常见问题的方法。

测试是另一个关键方面，不容忽视。自动化测试、代码审查和安全审计有助于确保代码库的质量和可靠性。

更多内容

除了上面提到的内容，还有几个点值得注意。首先是浏览器的兼容性，不同浏览器对Web Crypto API的支持程度有所不同。其次是性能问题，加密操作在大量数据时可能会影响用户体验。最后是密钥管理，如何安全地存储和传输密钥也是一个需要考虑的问题。

有问题欢迎评论区交流，看到会第一时间回复大家一起讨论。

Reference: Javascript VM/Emulator? [closed] - virtualization - Stack Overflow

关于patriksimek/vm2:，网上资料比较零散，这里做个相对完整的总结。

Ready to learn more? Subscribe to our newsletter for weekly tutorials and tips.

正文

vm2是一个沙盒，可以使用白名单节点的内置模块运行不受信任的代码。重要安全免责声明

在使用vm2之前，您应该了解它的工作原理及其局限性。

作为您的应用程序。它通过复杂的网络来实现这一点，

拦截和调解沙箱和主机环境之间的每次交互。

JavaScript是一种非常动态的语言。对象可以通过原型链访问，构造函数可以通过错误对象访问，符号提供协议挂钩，异步执行创建计时窗口。在JavaScript中从一个对象到另一个对象的遍历方式非常多，这使得构建一个密封的进程内沙箱非常困难。

尽管我们尽了最大努力，研究人员和安全专业人员仍在不断发现逃离vm2沙箱的新方法。我们在报告这些漏洞时会积极修补这些漏洞，但进程内沙盒的猫和老鼠本质意味着：

对于已知漏洞，未来可能会发现新的绕过。

从最新的安全修补程序中获益。订阅安全公告并及时更新。

运行不受信任的代码时，深入防御至关重要。

如果您需要更强的隔离保证，请考虑这些替代方案，

IPC开销较高；数据必须序列化Docker、gVisor、Firecracker

基于云的代码执行（例如， AWS Lambda、Cloudflare Workers ）

您需要与主机对象的紧密集成和快速的同步通信

不受信任的代码来自相对受信任的来源（例如，内部工具，具有经过审核的作者的插件系统）

将vm2与其他安全层（网络隔离、文件系统限制、资源限制）相结合

更多内容

除了上面提到的内容，还有几个点值得注意。首先是浏览器的兼容性，不同浏览器对Web Crypto API的支持程度有所不同。其次是性能问题，加密操作在大量数据时可能会影响用户体验。最后是密钥管理，如何安全地存储和传输密钥也是一个需要考虑的问题。

篇幅原因就先写这么多，后面有空会再补充更多实战案例。有问题评论区见。

Reference: patriksimek/vm2: Advanced vm/sandbox for Node.js - GitHub