I want to use node.js in my next project, but my boss does not like that our competitors can read the source code.

Is there a way to protect the JavaScript code?


You could accomplish this with a NativeExtension for node

You'd have a boostrap.js file that adds a extension handler for .jse files

// register extension
require.extensions[".jse"] = function (m) {
 m.exports = MyNativeExtension.decrypt(fs.readFileSync(m.filename));
};

require("YourCode.jse");

YourCode.jse would be the encrypted version of your source code (the key for decryption wouldn't be anywhere in plain-text because the decryption process takes place in the native extension).

Now you have your NativeExtensions decrypt function transform the source back to javascript. Just have your build process create encrypted .jse versions of all your files and release those to your customers. They'd also need the native extension but now you've made it a little harder to modify your code without too much effort. You can even make the native extension call home and check license information to help prevent piracy (keep in mind this won't stop piracy, there's no solution for that).


Just include a license agreement and give them the source code. They might want to customize it anyway.


As I have just completed a huge pure Nodejs project in 80+ files I had the same problem as OP. I needed at least a minimal protection for my hard work, but it seems this very basic need had not been covered by the NPMjs OS community. Add salt to injury the JXCore package encryption system was cracked last week in a few hours so back to obfuscation...

So I created the complete solution, that handles file merging, uglifying. You have the option of leaving out specified files/folders as well from merging. These files are then copied to the new output location of the merged file and references to them are rewritten auto.

NPMjs link of node-uglifier

Github repo of of node-uglifier

PS: I would be glad if people would contribute to make it even better. This is a war between thieves and hard working coders like yourself. Lets join our forces, increase the pain of reverse engineering!


To be very clear, client-side Javascript (as downloaded from a remote server into a standard web browser) cannot be protected from viewing and/or modification no matter how you obfuscate it since reconstruction ("de-obfuscation") of the original source is technically trivial. (Javascript obfuscation is simply another example of the widely used security misnomer "security through obscurity".)

If you wish to use Javascript and Node.js to provide a protected "product" (which in this context is an application or service requiring installation on a server your company does not control), you cannot secure it either as the only option available to you (obfuscation) provides no such protection.

It should be noted that even if your product is provided as a binary executable that is no guarantee you can protect the intellectual property it contains as any binary can be decompiled into an understandable format. In this case, we enjoy some level of security based on the excessive resources (time/expertise) required to convert low-level machine code (as provided by decompilation) into the higher-level logic constructs used by modern programming languages. (This from one who once decompiled CP/M into an understanding of its internal design by hand. ;)

All however is not lost: if we assume that one can protect intellectual property programmatically (the jury is still out on this one), there is a way to provide a Node.js-based product in a secure fashion, but it is not for the technically unadventurous as it would require substantial refactoring of the Node.js source code (to add support for cryptographically secure libraries and remove--or otherwise protect--object reflection for your proprietary libraries.)


Server side javascript code is completely closed source. No-one can read it.

Client side javascript code is completely open source. Everyone can read it.

For the latter you can do nothing but the same applies for RoR, ASP.NET, PHP, etc.

The actual server code is closed unless you publicly make it available.

If your making a library and trying to sell it as 3rd party source then it's open and can be stolen. Of course you can sue them for copyright breach.

There are various big companies like extjs which sell libraries which could be stolen that's why what they actually sell you is the code and a support service.

Most commercial projects build on node are services.