Here it is my problem:
I developed an MVC site and currently using standard method to publish which will placed files & folders inside the server. All dll files go under BIN folder and so on with the Content and Views go to Content & Views folder.
The problem is this website is an admin panel designed for commercial hardware device (embedded windows OS), so exposing the views and content as a plain text file can't be an option since it will open vulnerability of hijacking/code stealing. Even the device will be packed in a sealed box, anyone who buy it can broke the case and when they are knowing that the device run in windows environment then anything of security breach may happen, including stole the views code to be copied/changed for any purpose.
So I would need to secure the MVC files. I imagine if MVC can be published in secure files, e.g put all the content and views inside dll files.
答案 0 :(得分:6)
By default there is an assumption that whoever has access to your views and DLLs is trusted. If they have your files, they can do whatever they want with them.
By the nature of HTML, there is no point in trying to conceal your content files such as javascript and CSS. These files are served to the client regardless, so they are always retrievable.
If you want to put your views into DLLs, you can look into RazorGenerator.
A Custom Tool for Visual Studio that allows processing Razor files at design time instead of runtime, allowing them to be built into an assembly for simpler reuse and distribution.
Please note that what you're doing is known as security through obscurity.
[ ... ] security through obscurity is the use of secrecy of the design or implementation to provide security
Security through obscurity is discouraged and not recommended by standards bodies.
答案 1 :(得分:0)
MVC视图永远不应该包含业务逻辑,只能包含格式化逻辑。此外,由于C#代码被编译为中间语言(IL),任何人都可以反转该过程并获取源代码。
在这种情况下,你需要一个混淆器来混合IL以使其难以入侵,但这并非100%保证不会阻止黑客对IL(DLL和exe)进行逆向工程。
最好的办法是建立一种全面的方法来测试管理面板并促进强大的更新过程,以便在出现任何问题时,尽快推送更新。