path's access permission with url from browser

Forum Moderators: phranque

Message Too Old, No Replies

path's access permission with url from browser

thosecars82

1:25 am on Jan 2, 2010 (gmt 0)

Hello
I would like to ask you.
I have tested www.example.com eith Xenu's Link Sleuth 1.3.5
Among the results that it has returned I can see
a row which says
http://www.example.com/javascript/javascript.js for address
and
ok for status.
My question is:
Would it be a good advice to deny direct access to this file javascript.js by typing http://www.example.com/javascript/javascript.js in the browser?
Is this kind of fix a typical good suggestion when doing SEO?
How would I deny this direct access? Would it be by settings permissions to the file javascript.js or folder javascript/javascript.js? What permissions number? I mean, 777,744,...? In this case, would it be really worth it the time it takes to set permissions? Well, it does not take that much time really.
Thanks in advance

jdMorgan

6:55 pm on Jan 3, 2010 (gmt 0)

JavaScript is processed client-side, so if you deny access via HTTP, then the code won't be loaded by the client and won't be executed. Also, the only way to detect a "type-in download" is by the absence of an HTTP Referer request header, and unfortunately, there are many other legitimate things that can stop the Referer header from being sent -- or from being transmitted even if it is sent. "Internet security" software and caching network proxies such as those used by AOL and EarthLink can all prevent your server from receiving an HTTP Referer request header.

All-in all, trying to "protect" JS code is usually not worth the bother. If you really believe that your JS code is so special that it needs protection, then change the script URL (on your pages) to point to a server0side script such as PHP or PERL, add code to rewrite .JS requests to that server-side script, and use the server-side script to check for the presence of a cookie that you've previously set on the 'authorized pages' of your own site (all pages that can be used to get to the page(s) that use the JS script). If the cookie isn't present, then either return an empty script, respond with a 403-Forbidden, or serve a different script, such as one that puts up an alert box. The cookie set on your pages should be a session cookie or it should be set to have a limited lifetime (say a few hours).

None of this has to do with "SEO" -- It has to do with security. Since JS code executes client-side, the impact on security is essentially zero, as long as you're not trying to use JS code for any security-related functions. And if you are, then the problem lies there, and not in the fact that the JS code is downloadable.

Jim