How to prevent your JavaScript code from being stolen, copied, and viewed? [closed]

javascript security

Solution 1:

It's simply not possible.

For a visitor's browser to be able to execute the script, they have to be able to download it. Not matter what trickery you try to pull with JS, server permissions etc., at the end of the day they can always just wget http://example.com/yourcoolscript.js. And even if they can't (e.g. you require "secret" headers for that request) that would likely inhibit the behaviour of most browsers, while not stopping a determined person from looking anyway.

Fundamentally, because JS is executed client-side, the client must have access to the "original" JS file.

One minor thing you can do is obfuscation, which can help a little bit. But since JS is interpreted, it's also its own deobfuscator - see one of my earlier answers for an example.

Basically - "if you build it, they will look". :-)

Solution 2:

There are two kinds of user: There is the large group who couldn't care less. No need to protect against them.

Then, there is the group who really wants to see how you did it. There is no way to protect against them. They have all the tools and the knowledge to circumvent any protection you could come up with. You could use obfuscation but that's going to cost you money and time, so in the end, you can only lose.

Create a great product plus offer good support and people will be willing to pay for it. Castle building didn't work well in the past (lot of effort and it took just a couple of stones to tear them down) and it surely doesn't work today.

If you're afraid that your ideas are going to be stolen, then look for a new job, because they will be and there's nothing you can do.

Solution 3:

You could obfuscate your Javascript. There are a lot of tools to do that in the wild, e.g. http://www.javascriptobfuscator.com/. However it does not prevent anyone to see the code, but makes it harder to read.

Solution 4:

If you have big secrets, keep them on the server.

Then bundle all your JS files in one file, that you obfuscate.
This should prevent many people to go further, and as well reduce size and http calls.
But this won't stop the real bad guy if any.

We're building a JS heavy app and cured this paranoia long time ago.
If fact, we did the opposite.

As nothing can be protected, why not open source useful parts and get feedback from other people?
Try it, you won't be disappointed.

Solution 5:

One idea is to use websockets to serve javascript files to the browser through a socket.listener and running with eval. That way, it's very very very difficult for anyone to see the actual "source", since the connection of the socket has been already closed.

There is another amazing tactic which can be seen on the homepage of http://samy.pl, which uses spaces (\u0020) and tabs (\u0009) as a byte cipher to hide JS code!

If you view the source, you can only see 1 line of actual JS code: http://pastebin.com/e0pqJ8sB See for yourself if you can figure out how it works (no spoilers!)

As far as obfuscators go, see http://utf-8.jp/public/jjencode.html (and/or another version)

This free obfuscator runs client-side, and produces gibberish that unminify.com and jsbeautifier can't even decode:

$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"(\\\"\\"+$.__$+$.__$+$.___+$.$$$_+(![]+"")[$._$_]+(![]+"")[$._$_]+$._$+",\\"+$.$__+$.___+"\\"+$.__$+$.__$+$._$_+$.$_$_+"\\"+$.__$+$.$$_+$.$$_+$.$_$_+"\\"+$.__$+$._$_+$._$$+$.$$__+"\\"+$.__$+$.$$_+$._$_+"\\"+$.__$+$.$_$+$.__$+"\\"+$.__$+$.$$_+$.___+$.__+"\\\"\\"+$.$__+$.___+")"+"\"")())();

Original code:

alert("Hello, JavaScript")

Output from both beautifier websites:

$ = ~[];
$ = {
    ___: ++$,
    $$$$: (![] + "")[$],
    __$: ++$,
    $_$_: (![] + "")[$],
    _$_: ++$,
    $_$$: ({} + "")[$],
    $$_$: ($[$] + "")[$],
    _$$: ++$,
    $$$_: (!"" + "")[$],
    $__: ++$,
    $_$: ++$,
    $$__: ({} + "")[$],
    $$_: ++$,
    $$$: ++$,
    $___: ++$,
    $__$: ++$
};
$.$_ = ($.$_ = $ + "")[$.$_$] + ($._$ = $.$_[$.__$]) + ($.$$ = ($.$ + "")[$.__$]) + ((!$) + "")[$._$$] + ($.__ = $.$_[$.$$_]) + ($.$ = (!"" + "")[$.__$]) + ($._ = (!"" + "")[$._$_]) + $.$_[$.$_$] + $.__ + $._$ + $.$;
$.$$ = $.$ + (!"" + "")[$._$$] + $.__ + $._ + $.$ + $.$$;
$.$ = ($.___)[$.$_][$.$_];
$.$($.$($.$$ + "\"" + $.$_$_ + (![] + "")[$._$_] + $.$$$_ + "\\" + $.__$ + $.$$_ + $._$_ + $.__ + "(\\\"\\" + $.__$ + $.__$ + $.___ + $.$$$_ + (![] + "")[$._$_] + (![] + "")[$._$_] + $._$ + ",\\" + $.$__ + $.___ + "\\" + $.__$ + $.__$ + $._$_ + $.$_$_ + "\\" + $.__$ + $.$$_ + $.$$_ + $.$_$_ + "\\" + $.__$ + $._$_ + $._$$ + $.$$__ + "\\" + $.__$ + $.$$_ + $._$_ + "\\" + $.__$ + $.$_$ + $.__$ + "\\" + $.__$ + $.$$_ + $.___ + $.__ + "\\\"\\" + $.$__ + $.___ + ")" + "\"")())();

Hope this enlightens those in need!

Related

Find distance between two points using latitude and longitude in mysql
Using different versions of the same assembly in the same folder
How to convert XML to java.util.Map and vice versa?
Possible to share in-memory data between 2 separate processes?
What does a zlib header look like?
How to get the EXIF data from a file using C#
Stopping GIF Animation Programmatically
What is the meaning of a const at end of a member function? [duplicate]
Stringify (convert to JSON) a JavaScript object with circular reference
Creating URL query parameters from NSDictionary objects in ObjectiveC
Dot character '.' in MVC Web API 2 for request such as api/people/STAFF.45287
How could the UNIX sort command sort a very large file?