Mingle your Links

8 Ways Not to Protect your Precious JavaScript code

Ever since the emergence of web scripting, creative webmasters developing beautiful JavaScript for their sites wished to protect their precious code from others stealing their hardwork. Most likely you will be protected automatically by Copyright laws. For some good collection of articles on Copyrights relating to Web can be found here . However people can still steal your idea and make their own version of it.

So how will you protect your JavaScript Code?
The well-known answer to such a requirement will be as plain as
"If browser can read it, I can".

Even though there is no simple and 100 foolproof solution for this, we try to find out a solution that works for you and your specific needs. Below we list the popular ways people follow to "protect" their JavaScript code.

1. JS in New Window

Method Description
In this method JS is loaded in a new window, with toolbar disabled.

Workaround
Right click and view Page Source on the new window.


2. Disable Right Click

Method Description
Disable right click by JS code.

Workaround
Disable JS temporarily and view the source code.

3. Layering

Method Description
Use JS across multiple layers of frames/iframes to confuse the viewer

Workaround
Not difficult for a determined mind.


4. Remote JS

Method Description
Hide java Script in Remote Server

Workaround
Get the source location and open the file in browser.


5. Encoders

Method Description
Encode the script using an encoder

Workaround
It can be stolen and used. A correct set of decoders could even decode it to near perfection.


6. Obfuscate

Method Description
Obfuscate the script with various tools
List of Free Online JavaScript Obfuscators

Workaround
Can still be decoded.

7. Using REQUEST_URI or HTTP_REFERER

Method Description
Use PHP variables to restrict the access of the JS.

Workaround
Does not work for all cases.


8. JavaScript to write JS

Method Decryption
Dynamically use JS to write JS path using innerHTML.

Workaround
You can copy the JS code and make it work the way you want and steal the remote JS code.


However your JavaScript still will not be 100% protected so long as you are sending the JS to a browser and browser can read it. Even people use packet sniffers to get your script.

Following are some of the practical things you could do to ensure moderate security.

1. Use layers of obfuscation and encryption to make sure that no one can modify your code easily.
2. Combine 2 or more methods mentioned above to make it difficult to get your code.
3. If possible use server side PHP/JSP/ASP code and use AJAX interface for calling those methods.
4. Make your code check for time, so that any one stealing it will not be able to use it for long. Combine this trick with the first one to make sure they cannot change it.



Resources
List of Free Online JavaScript Obfuscators
Copyright on Web: Related articles
Review of Professional JavaScript Obfuscators
Thread regarding Protecting JS code

posted by Evening Moon @ 1:22 AM