It doesn’t actually matter. Blocking “View Source”, that is.

Print Friendly, PDF & Email

We recently received a question that made me wonder if we really were in  2016 – “Can the Barracuda Web Application Firewall block users from performing right-click -> View Source?”. For an instant, it took me back to the early 2000’s where every method of “protection” was being implemented – including blocking right-click to prevent people from either viewing the source of a web page, or downloading a file on the page. The question this time was more in-line with trying to secure the website. If right-click and View Source are blocked, then the attacker cannot see the source code of the web page. This will mean that they cannot figure out how to “hack” us, or steal our source code.

There is some logic in this request blocking View Source. If an attacker cannot view the source of the webpage, they are at a slight disadvantage. Very often, viewing the source reveals hidden fields, optional elements and session identifiers (among others) that can help speed things up from an attacker’s point-of-view. But all of these (and more) can be identified by using tools such as Fiddler, other automated tools available freely on the Internet.

Blocking right click is quite possible – it just requires a client that you control.  It is also quite ineffective in most cases. You can insert the required code in JavaScript (for instance), and disable right click. But if the user is using a standard web browser, they can just disable JavaScript on their browser and right-click away. The user could also just use the browser’s built-in developer tools to view source (‘Ctrl U’ on FireFox for instance). If blocking right click is really required, then you would need to disable the functionality on the browser and force all clients to use only this browser; this is possible in enterprise situations, but not really on public facing websites.

An example of a simple right-click bypass is the Net Banking site of my bank. They block right-click, and I cannot copy some text. So I just use the keyboard, depress the Ctrl and Shift keys and use arrow keys to select text. Then I use ‘Ctrl C’ to copy the text. There is no fiddling around with JavaScript, no selecting Developer Tools, no mucking about with Fiddler, no using a mouse. Just using some basic keyboard shortcuts. If the bank wanted to block this, then you need to block a lot more than just right-click on their website – and this cause much functionality to break and aggravate users with little benefit.

A quick glance around the internet will show how much users scorn sites that use right click blocking and similar methods. The minor security advantage that it provides does not make up for the user exasperation that it causes.

Blocking “View Source” is a way of securing through obscurity. Such methods should not be relied upon to provide significant protection. Security by obscurity is discouraged and not recommended by most standards bodies like NIST. That security by obscurity does not work was demonstrated as far back as 1851. Alfred Hobbs demonstrated the weaknesses in the then state-of-the-art locks by picking them publicly. When others were concerned that he was exposing these flaws to criminals and making the locks more vulnerable, he stated: “Rogues are very keen in their profession, and know already much more than we can teach them.” So too are the people who wish to break into your site – and the automated tools they use account for such obscurity.

So what do you do to protect your site in this case? Ideally, by using a Web Application Firewall. A Web Application Firewall is a specialized firewall that sits in front of your web applications, protecting them from application layer attacks that an IPS or IDS cannot detect or block (YouTube Link).

While using a Web Application Firewall might seem complex, securing your web application need not be difficult. The Barracuda Web Application Firewall exists to secure your web applications easily and provide you with peace of mind. Once you deploy the Barracuda Web Application Firewall in front of your web application, it is trivially easy to setup a HTTPS front end and enable complete application security. The Barracuda Web Application Firewall provides complete security against all web attacks (pdf), including application DDoS and Web Scraping. We offer several deployment options, including physical and virtual appliances, and Azure, AWS, and vCloud Air. Try it in your environment for 30 days, risk-free.

In December 2016, we are running a webinar on Deconstructing Web-based Attacks. In this webinar, we will talk about some of the big hacks from the past year, revealing how they happened. We’ll also talk about the Barracuda Web Application Firewall and Barracuda Vulnerability Manager, and how they can help protect you against these attacks. Look out for more information on attending this webinar series soon!

Tushar Richabadas is a Product Manager for the Barracuda Web Application Firewall team in our India office. You can connect with him on LinkedIn here.


Scroll to top