Question T8393
Visible to All Users

Protecting JSON from End user

created 3 years ago (modified 3 years ago)

Hi Team

When we create a survey in the survey builder (questions + correct answers) and publish it for the end users to answer them, do we have a way of protect/hide or encrypt the json part from the developer tools?

Please see the attached image here where, on the survey loading page -> developer tools -> user see the whole json part with correct answers.

Please suggest any solution.

Thanks
Dhruv

Answers approved by surveyjs Support

created 3 years ago

Hello,
We do not have anything like this right now, out of the box. Do you have this JSON on your page? You can convert it into unreadable string and convert it into correct JSON right before passing it into Survey Model.

Thank you,
Andrew
SurveyJS Team

    Other Answers

    created 3 years ago

    Hi Andrew,

    Thank you for your response.
    Can you give some direction/example on how would you convert it into unreadable string first and then passing it into survey model.

    Thanks!

      Show previous comments (6)

        You can use any a very simple encryption here. It is should not be an issue. The problem that you have to encrypt it on server and decrypt on client. I mean you will have to implement one part of your server platform and another one on your client.
        We do not have it out of the box since we are a client only, we do not offer server and to be honest the only issue we have was about correctAnswer and sometimes some invisible questions. We suggest to remove these information before sending it to the client.

        My solution was not about adding a new property/attribute into JSON. You have two pages, for students and assessors, with two Ajax requests for getting JSON from database by it's id. I suggested to add an additional parameter to this Ajax request, who is asking for this survey JSON, student or assessor? In this case on your server, after you get survey JSON from database and before you send it to the client, you can modify it if needed, for example remove "correctAnswer" attribute if JSON is asking by a student. IMHO: this is the correct way to do it. I assume, that if "correctAnswer" attribute will not exists in JSON on a student page, then your security test will be passed. Students will not be able to access correctAnswer and it is better than encrypt JSON or encrypt the correctAnswer.

        Thank you,
        Andrew
        SurveyJS Team

          Thank you Andrew, I will give it a shot.

          May I know how to remove all 'CorrectAnswer' (for radiobuttons/checkbox type questions) and 'Answers' (for text type questions) attributes from the JSON string once received on the server side? I assume by simple C# replace regex?

          And how can I send the original back again to client side?

            Hello,
            It depends on your server platform. If you store survey JSON as JSON, for example if you use MongoDB, then you can simply remove "correctAnswer" attribute by go through the JSON tree.
            If you store survey JSON as text, then the safest way is to parse JSON on server, remove "correctAnswer" attribute and then stringify it. The fastest and easiest way, is to remove text, by using regular expression for example. You can replace with empty string text "correctAnswer": "Your value", it means that you can create regex that starts with "correctAnswer" and ends with ",
            However, it is all a standard programming tasks.

            Thank you,
            Andrew
            SurveyJS Team