During a recient PCI audit the auditor said that we had major security risks because
- It was possible to download static resources from our website such as images css and javascript without prior authentication.
- Our javascript had comments in it.
Personally I think that this is not a security risk at all. The images css and javascript where not dynamically created and they contained no data on our backend, our customer details and on mechanisms.
The comments within the javascript were just simply explaining what the methods in the javascript file did. Which anyone who reads JS could have found out anyway.
How does that show “information leakage“?
Are comments within javascript really a security risk?
Depending on how strict the audit, downloading images etc without authentication COULD be seen as a security risk (think diagrams, charts, graphs…).
Removing comments in the javascript is like obfuscating the code: it makes it a bit harder, but still not impossible to understand what’s going on. JavaScript should be seen as enhancing-only anyway, all your security should be (duplicated) at server-side. Having anyone understand what the JS does should not be considered a risk.