you can go into your extensions and disabled them directly there

@B33fb0n3 i am trying to prevent others from using react dev tools to scrutinize the site, on production

as near said: it's not really possible. Keep in mind, that the code itself will also be compiled and "rewritten" so it looks different for others in production (see attached). It's not very human readable

sorry could i ask why is it pointless?

wouldn't it help prevent people from manipulating prop values?

No, it wouldn't. And even if they manipulate their client-side state it shouldn't cause issues as mutations and actions should use server-side validation.

Let's take tanstack table as example. You have a column file, it contains buttons: view, edit, delete

In edit button, we pass in the userId that will be edited. Wouldn't malicious users be able to exploit that?

I genuinely do not understand why react dev tool is not disabled on prod

So what? If somebody attempts to update an entry in your database using a forged ID your backend code should validate whether the logged user has the authorization to alter an entry.

Even if there were no React Dev Tools there would be dozens of ways to send malicious requests or change values of hidden fields.

That's true. Guess it's time to improve on the authorization checks

thanks @Asian black bear

You should generally never trust the client, under any circumstance.

Each request need authentication and authorization checks depending on the action and requirements.

Another example is "exposing an admin interface". If you do ship the admin UI for an app in the client bundle and malicious users truly manage to gain access to it locally it's not the end of the world because requests to fetch data displayed in there should return 401/403.

You just need the right mental model for these kinds of interactions and security by obscurity, i.e. attempting to hide something, is pretty pointless.

Yeah, I get your point now. Thanks alot