Apologies if this is a bit of daft/stupid question.
So you have a website, lets say it's amazon (as an example, I'm not saying they do this), and there's a login section. The website will only load certain css/js/files upon login authentication. Now I have a series of questions:
1. Would a website ever do this?
2. If yes, why would a website ever do this?
3. Is there a way around this and access files without the need for authentication.
(without compromising the security of the reason why these files are restricted access)
My thoughts on 3. - Such as looking at the source of the website (whilst logged in) and then open the files in the same session and copy the contents. A crude solution, but one that would work I believe.
Does anyone have any thoughts on this matter? The use case does not include restricting access to webpages but instead to the scripts loaded into said page. And this all needs to be done in JS.
Also, if anyone could point me to some google links or something that would be great :). I'm not sure what I'm googling that makes sense in a couple words so any help would be greatly received.
Can't understand what exacly do you want and why.
For example: app, where managers could log in into their company profile and they can upload PDFs. These PDFs shouldn't be available for other companies. This is application level, where you store uploaded/user sensitive information in a database or in any disk storage BUT you serve these files from backend. For example user can access his PDF by url domain/file=6GO86r89GugK
Another example: Users can upload profile photos which is by the fact a private information and protected by the law. Many users don't want to allow anyone and especially Google to see their private photos at least until they are logged in or even friends. This IS AGAIN an application level. Facebook is a first example here. You can set up who is able to see your photos - public, friends, only you, etc.
What actually happens in the back-end when user tries to access a link:
Content-Type: image/png and body contains file data. If it is required to download that link, then another header addedYou are asking for google link, I will give you exactly what do you want. Create a private Google drive document, paste sharable link here and anyone who would visit that link will see a page that the access to that file is restricted, you can request access by clicking on the button which will send an email to doc author. This IS application level.
If your JS contains sensitive information, then there is something very wrong with your JS and you should remove it. Don't overcomplicate things and don't think about restricting access to the assets.
All the data anyway will be returtned from the server. I don't care if hacker has access in console to Manager.deleteAccount(42) because he will get a 403 from the server.
You, of course, may think that you don't want to allow a hacker see your API urls so he couldn't spam them. First, as I said in paragraph above, server will show that hacker where is his place and, second, ok, you hided that info but hacker can register his own account and get that info anyway because it IS PUBLIC asset.
I am not going to talk about HTTP level security, load balancing, proxies, HA, DDoS protection and everything else since it is a different topic.
If you are talking about which CSS, JS should be returned to guests, which to authenticated users, which to admins because of perfomance issues, then, of course, you shouldn't return a 1mb full-bundle.css/js, I usually have small index-hash.js and index-hash.css for first page only, rest of app can be in a single app-hash.css and app-hash.js or it could be divided into modules, like news.css, users.css, etc. Admin assets are always returned from /admin or something since client-side does not needs typical admin panel assets. Return to a client only what he asks in that request, no more, no less.. My avarage css/js per page is about 30kb.
P.S. public assets and images should be returned from CDN.
Personally, I sometimes do this. I even sometimes decide on a per-accesskey base what files are needed. My main reason is to minimize load times. When an admin logs on, they might need JS and CSS for all the admin widgets which a normal user might not even see. So for a normal user, I can leave out all the CSS and JS for those widgets, saving bytes in the process. At the same time, restricting manual access to the files (like just entering the address) may help make attacks more difficult as an attacker has no source code, hence no way of knowing certain interfaces. So they will have to try out a lot more. Using AppSensor, you might be able to detect such behavior and react with a honey pot or aggressive honey pot.
The whole thing has to be implemented server-side, or you will not gain the security advantages. Of course, depending on your implementation, you might also allow for such files to be access either way (which you can do browser-side, take a look at module-loaders, like RequireJS), but personally, because of the security considerations, I would not do something like that.