How do I protect javascript files

Question

I know it s impossible to hide source code but  for example  if I have to link a JavaScript file from my CDN to a web page and I don t want the people to know the location and or content of this script  is this possible   For example  to link a script from a website  we use    lt script type  text javascript  src  http   somedomain com scriptxyz js  gt   lt  script gt    Now  is possible to hide from the user where the script comes from  or hide the script content and still use it on a web page   For example  by saving it in my private CDN that needs password to access files  would that work  If not  what would work to get what I want

User · Answer

Google Closure Compiler  YUI compressor  Minify   Packer     etc  are options for compressing obfuscating your JS codes  But none of them can help you from hiding your code from the users    Anyone with decent knowledge can easily decode de-obfuscate your code using tools like JS Beautifier  You name it   So the answer is  you can always make your code harder to read decode  but for sure there is no way to hide

User · Answer

I agree with everyone else here  With JS on the client  the cat is out of the bag and there is nothing completely foolproof that can be done  Having said that  in some cases I do this to put some hurdles in the way of those who want to take a look at the code   This is how the algorithm works  roughly   The server creates 3 hashed and salted values  One for the current timestamp  and the other two for each of the next 2 seconds  These values are sent over to the client via Ajax to the client as a comma delimited string  from my PHP module  In some cases  I think you can hard-bake these values into a script section of HTML when the page is formed  and delete that script tag once the use of the hashes is over The server is CORS protected and does all the usual SERVER NAME  etc check  which is not much of a protection but at least provides some modicum of resistance to script kiddies    Also it would be nice  if the the server checks if there was indeed an authenticated user s client doing this  The client then sends the same 3 hashed values back to the server thru an ajax call to fetch the actual JS that I need  The server checks the hashes against the current time stamp there    The three values ensure that the data is being sent within the 3 second window to account for latency between the browser and the server  The server needs to be convinced that one of the hashes is matched correctly  and if so it would send over the crucial JS back to the client  This is a simple  crude  quot One time use Password quot  without the need for any database at the back end   This means  that any hacker has only the 3 second window period since the generation of the first set of hashes to get to the actual JS code   The entire client code can be inside an IIFE function so some of the variables inside the client are even more harder to read from the Inspector console This is not any deep solution  A determined hacker can register  get an account and then ask the server to generate the first three hashes  by doing tricks to go around Ajax and CORS  and then make the client perform the second call to get to the actual code -- but it is a reasonable amount of work    Moreover  if the Salt used by the server is based on the login credentials  the server may be able to detect who is that user who tried to retreive the sensitive JS  The server needs to do some more additional work regarding the behaviour of the user AFTER the sensitive JS was retreived  and block the person if the person  say for example  did not do some other activity which was expected  An old  crude version of this was done for a hackathon here  http   planwithin com demo tadr html That wil not work in case the server detects too much latency  and it goes beyond the 3 second window period

User · Answer

As I said in the comment I left on gion 13 answer before  please read   you really can t  Not with javascript   If you don t want the code to be available client-side    stealable without great efforts   my suggestion would be to make use of PHP  ASP Python Perl Ruby JSP   Java-Servlets  that is processed server-side and only the results of the computation code execution are served to the user  Or  if you prefer  even Flash or a Java-Applet that let client-side computation code execution but are compiled and thus harder to reverse-engine  not impossible thus    Just my 2 cents

User · Answer

Just off the top of my head  you could do something like this  if you can create server-side scripts  which it sounds like you can    Instead of loading the script like normal  send an AJAX request to a PHP page  it could be anything  I just use it myself   Have the PHP locate the file  maybe on a non-public part of the server   open it with file get contents  and return  read  echo  the contents as a string   When this string returns to the JavaScript  have it create a new script tag  populate its innerHTML with the code you just received  and attach the tag to the page   You might have trouble with this  innerHTML may not be what you need  but you can experiment    If you do this a lot  you might even want to set up a PHP page that accepts a GET variable with the script s name  so that you can dynamically grab different scripts using the same PHP   Maybe you could use POST instead  to make it just a little harder for other people to see what you re doing  I don t know    EDIT  I thought you were only trying to hide the location of the script  This obviously wouldn t help much if you re trying to hide the script itself

User · Answer

Good question with a simple answer  you can t  Javascript is a client-side programming language  therefore it works on the client s machine  so you can t actually hide anything from the client  Obfuscating your code is a good solution  but it s not enough  because  although it is hard  someone could decipher your code and  quot steal quot  your script  There are a few ways of making your code hard to be stolen  but as i said nothing is bullet-proof  Off the top of my head  one idea is to restrict access to your external js files from outside the page you embed your code in  In that case  if you have  lt script type  quot text javascript quot  src  quot myJs js quot  gt  lt  script gt   and someone tries to access the myJs js file in browser  he shouldn t be granted any access to the script source  For example  if your page is written in php  you can include the script via the include function and let the script decide if it s safe quot  to return it s source  In this example  you ll need the external  quot js quot   written in php  file myJs php    lt  php      URL     SERVER  SERVER NAME     SERVER  REQUEST URI        if   URL     quot my-domain com my-page php quot       die  quot    sry  no acces rights    quot      gt     your obfuscated script goes here  that would be included in your main page my-page php    lt script type  quot text javascript quot  gt       lt  php include  quot myJs php quot     gt    lt  script gt    This way  only the browser could see the js file contents  Another interesting idea is that at the end of your script  you delete the contents of your dom script element  so that after the browser evaluates your code  the code disappears    lt script id  quot erasable quot  type  quot text javascript quot  gt        your code goes here     document getElementById  erasable   innerHTML    quot  quot    lt  script gt   These are all just simple hacks that cannot  and I can t stress this enough   cannot  fully protect your js code  but they can sure piss off someone who is trying to  quot steal quot  your code  Update  I recently came across a very interesting article written by Patrick Weid on how to hide your js code  and he reveals a different approach  you can encode your source code into an image  Sure  that s not bullet proof either  but it s another fence that you could build around your code  The idea behind this approach is that most browsers can use the canvas element to do pixel manipulation on images  And since the canvas pixel is represented by 4 values  rgba   each pixel can have a value in the range of 0-255  That means that you can store a character  actual it s ascii code  in every pixel  The rest of the encoding decoding is trivial  Thanks  Patrick

User · Answer

I think the only way is to put required data on the server and allow only logged-in user to access the data as required  you can also make some calculations server side   This wont protect your javascript code but make it unoperatable without the server side code

User · Answer

The only thing you can do is obfuscate your code to make it more difficult to read  No matter what you do  if you want the javascript to execute in their browser they ll have to have the code

User · Answer

I know that this is the wrong time to be answering this question but i just thought of something i know it might be stressful but atleast it might still work Now the trick is to create a lot of server side encoding scripts  they have to be decodable for example a script that replaces all vowels with numbers and add the letter  a  to every consonant so that the word  bat  becomes ba1ta  then create a script that will randomize between the encoding scripts and create a cookie with the name of the encoding script being used  quick tip  try not to use the actual name of the encoding script for the cookie for example if our cookie is name  encoding script being used  and the randomizing script chooses an encoding script named MD10 try not to use MD10 as the value of the cookie but  encoding script4567656  just to prevent guessing  then after the cookie has been created another script will check for the cookie named  encoding script being used  and get the value  then it will determine what encoding script is being used  Now the reason for randomizing between the encoding scripts was that the server side language will randomize which script to use to decode your javascript js and then create a session or cookie to know which encoding scripts was used then the  server side language will also encode your javascript  js and put it as a cookie      so now let me summarize with an example   PHP randomizes between a list of encoding scripts and encrypts javascript js then it create a cookie telling the client side language which encoding script was used then client side language decodes the javascript js cookie which is obviously encoded  so people can t steal your code but i would not advise this because  it is a long process It is too stressful

User · Answer

From my knowledge  this is not possible   Your browser has to have access to JS files to be able to execute them  If the browser has access  then browser s user also has access   If you password protect your JS files  then the browser won t be able to access them  defeating the purpose of having JS in the first place

User · Answer

Forget it  this is not doable   No matter what you try it will not work  All a user needs to do to discover your code and it s location is to look in the net tab in firebug or use fiddler to see what requests are being made

User · Answer

You can also set up a mime type for application JavaScript to run as PHP   NET  Java  or whatever language you re using  I ve done this for dynamic CSS files in the past

[javascript] How do I protect javascript files?

Examples related to javascript

Examples related to source-code-protection