Menu
I know it's impossible to hide source code but, for example, if I have to link a JavaScript file from my CDN to a web page and I don't want the people to know the location and/or content of this script, is this possible?
For example, to link a script from a website, we use:
<script type="text/javascript" src="http://somedomain.com/scriptxyz.js"> </script> Now, is possible to hide from the user where the script comes from, or hide the script content and still use it on a web page?
For example, by saving it in my private CDN that needs password to access files, would that work? If not, what would work to get what I want?
793
1. JavaScript Code Protection. With the flexible and dynamic nature of the web, to protect JavaScript code from potential attackers, the best option is to add runtime protection.
No, it's not possible. If it runs on the client browser, it must be downloaded by the client browser.
JavaScript in <head> or <body> You can place any number of scripts in an HTML document. Scripts can be placed in the <body> , or in the <head> section of an HTML page, or in both.
JavaScript can be dangerous if the proper precautions aren't taken. It can be used to view or steal personal data even you don't realize what's going on. And since JavaScript is so ubiquitous across the web, we're all vulnerable.
This means that anyone can steal your JavaScript code, modify it and reuse it for his own purposes. One of the ways to protect your code is to obfuscate it to encrypt the code and make it unreadable. Protect your code and intellectual property.
If you password protect your JS files, then the browser won't be able to access them, defeating the purpose of having JS in the first place. I think the only way is to put required data on the server and allow only logged-in user to access the data as required (you can also make some calculations server side).
One of the ways to protect your code is to obfuscate it to encrypt the code and make it unreadable. Protect your code and intellectual property. Compact js to also make file size smaller and increase page speed.
This has several drawbacks and the most important one is that JavaScript source code can be easily viewed by anyone. This means that anyone can steal your JavaScript code, modify it and reuse it for his own purposes. One of the ways to protect your code is to obfuscate it to encrypt the code and make it unreadable.
Javascript is a client-side programming language, therefore it works on the client's machine, so you can't actually hide anything from the client.
Obfuscating your code is a good solution, but it's not enough, because, although it is hard, someone could decipher your code and "steal" your script.
There are a few ways of making your code hard to be stolen, but as i said nothing is bullet-proof.
Off the top of my head, one idea is to restrict access to your external js files from outside the page you embed your code in. In that case, if you have
<script type="text/javascript" src="myJs.js"></script> and someone tries to access the myJs.js file in browser, he shouldn't be granted any access to the script source.
For example, if your page is written in php, you can include the script via the include function and let the script decide if it's safe" to return it's source.
In this example, you'll need the external "js" (written in php) file myJs.php :
<?php $URL = $_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI']; if ($URL != "my-domain.com/my-page.php") die("/\*sry, no acces rights\*/"); ?> // your obfuscated script goes here that would be included in your main page my-page.php :
<script type="text/javascript"> <?php include "myJs.php"; ?>; </script> This way, only the browser could see the js file contents.
Another interesting idea is that at the end of your script, you delete the contents of your dom script element, so that after the browser evaluates your code, the code disappears :
<script id="erasable" type="text/javascript"> //your code goes here document.getElementById('erasable').innerHTML = ""; </script> These are all just simple hacks that cannot, and I can't stress this enough : cannot, fully protect your js code, but they can sure piss off someone who is trying to "steal" your code.
I recently came across a very interesting article written by Patrick Weid on how to hide your js code, and he reveals a different approach: you can encode your source code into an image! Sure, that's not bullet proof either, but it's another fence that you could build around your code.
The idea behind this approach is that most browsers can use the canvas element to do pixel manipulation on images. And since the canvas pixel is represented by 4 values (rgba), each pixel can have a value in the range of 0-255. That means that you can store a character (actual it's ascii code) in every pixel. The rest of the encoding/decoding is trivial.
Thanks, Patrick!
126
The only thing you can do is obfuscate your code to make it more difficult to read. No matter what you do, if you want the javascript to execute in their browser they'll have to have the code.
39
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
