So I've been playing around with my site trying to send stuff to the server which isn't intended. I noticed that Chrome console really lets you do what you want. I can even redefine whole functions, glean into the inner-eds of my closures and then fire off stuff to the server that wasn't intended. :unsure: However, I did notice that within a closure if a variable is not apart of the return function such as

var myfunction = (function (){
   var a = 'ha!';
   var b = 'boo!';
  
   return function( x ){
      console.log( b + ' ' + x );
   };
};

Then 'a' is not actually retrievable by chrome console in any way shape or form. is this true??

[EDIT]: please disregard this question. I have learned that it is impossible to harden client script and prevent the client from sending malicious stuff to the server. The objective is to harden the server.

First: yes, you cannot "harden" the client, because the user can write whatever code he wants and run it any way he wants.

Second: in JavaScript, a closure closes over (captures) all variables that it uses out of the lexical scope when it is defined. It doesn't have to be part of the return value; it just has to be used in the function for it to be captured (closed into the closure.)