WingNews logo WingNews GitHub [2]
top | item 14680285

Ask HN: Can you protect your JavaScript code?

2 points| martin_hnuid | 8 years ago | reply

Friends of mine have seen their non-trivial code lifted right off their websites and sold by people on Fiverr as if they had written it. I would imagine a lot of folks on Fiverr do just this: Scour the web for the solution they are being paid to create and simply copy-and-paste it to their unsuspecting clients.

Say you are building a site that will make use of very heavy JS code, to the point that the code is critical to your business and you do not want it copied or stolen. How do you protect it? Can you protect it?

I can't see much past obfuscation through minification. How effective are these techniques?

One thought is to use AJAX wherever possible in order to have that code live server side. This, of course, would result in greater server load.

8 comments

order
[+] oldandtired|8 years ago|reply
Seriously, if you are wanting to protect client side js, you are closing the barn after the horse has bolted.

Even with obfuscation, if the code is worth copying (for any reason, including money), it will be copied. It is irrelevant if it closed or open source.

Even with it server side, any mistakes on your part and the code is available to whoever really wants it.

Your friends would be better off finding out who was sold the code and letting those people know where the code actually came from. Do it pleasantly and your friends may find themselves some new customers.

The one thing they do need to be careful about is not coming across vindictively. The potential clients may find that attitude less than favourable. Your friends could even do reviews on the Fiverr site with humorous comments about how good the people were at copying other peoples code and selling it as their own. Be funny about it and let the culprits lose it. It will pay off in the end.

I have come across others who have had their work copied and then sold. The best way to handle this is NOT to get angry, but to use it as a means of advertising yourself. Your work is so good that people want copy it and pretend that it is their own work. How good a recommendation is that?

There are different ways to handle this, be inventive, be pleasant and be smart.

[+] martin_hnuid|8 years ago|reply
I know this is a tough one. I'm trying to understand what the options might be while fully understanding that JS is, in the end, not protectable.

Say you develop a site that offers a very specialized CAD package unique to an industry. The entire thing has to be client side JS and it could take a year or more to develop. Theft of code in a case like that could be catastrophic.

Frankly, I'm surprised nobody has come up with a real solution for this.

[+] mattbgates|8 years ago|reply
You could probably use a Javascript Obfuscater ( http://www.danstools.com/javascript-obfuscate/ or https://javascriptobfuscator.com/Javascript-Obfuscator.aspx ) but you'll always want to make backups of your original code. There are some that are able to obfuscate it but may not be able to reverse it. I've used it to mask emails when my contact forms have gotten spam, but haven't used it for massive amounts of code. However, if you are after protecting that code and making sure no one steals it, than why not use it?
[+] woranl|8 years ago|reply
How about rewrite/convert the app in C++ and deliver it via WebAssembly?
[+] martin_hnuid|8 years ago|reply
That's very interesting. I wasn't familiar with this. Thanks.
[+] spurlock|8 years ago|reply
> Say you are building a site that will make use of very heavy JS code, to the point that the code is critical to your business and you do not want it copied or stolen. How do you protect it? Can you protect it?

There are countless obfuscation tools out there, but in the end if someone wants your code, they can reverse it into more readable code and steal it, using it on their website/webapp. It's the way browser engines are designed that ensures this. JavaScript is there for the taking and is not compiled into machine code. It's interpreted. So no, you can't protect it. No matter how much you abuse the eval() function or mangle the code[1]

[1]: https://en.wikipedia.org/wiki/JSFuck