How do I prevent my Node js code from being stolen?

Question

I need some advice. I am thinking of developing a new product using NodeJS and Express. This product should run on-premise mode. Because, Product will be information security product and will keep sensitive datas. I just want to guarantee that it takes a long time to be reversed.

So, How to protect my code from being stolen ? Or is NodeJS right choice ?

Are you have any tutorial or advice ?

Thanks and best regards..

Answer 1

If you are distributing the server software so that your customer can run the server themselves on premise, then you simply cannot protect your server source code. If node.js can run it, then anyone at your customer's site who has physical access to the server can also see the source code.

With proper protections enabled by your customer, your server source code would not be available the the outside world, but you'd have to rely on your customer installing and securing things correctly for that to be the case.

You can obfuscate your source code before distributing it. This type of obfuscation that renames all variables to give them meaningless names is not a real form of security at all, but it does make reverse engineering to understand what your code does more work (potentially deterring some people from putting in the extra work), but it does not prevent reverse engineering from a determined hacker.

If you have a relatively small number of secret sauce things you're trying to protect then a determined hacker can plow through the extra work of the obfuscation and still get to your algorithms.

In the end, the only real way to fully protect the internals of your work is not distribute your source code (no matter the language or environment) and to run a service and have the customer access your service. Even with a fully compiled language (with no source code distribution) like C++, a determined hacker can still reverse engineer critical algorithms or credentials.

If the customer will only accept servers that they purchase and run on their premises, then my guess is that you're over-thinking this reverse engineering issue. Anything you try do other than obfuscation is going to complicate your product and sale and make you sell significantly less while not really preventing the determined hacker anyway.

Answer 2

Plan A :

1. Prepare a self hosted Node and DB server.
2. Then expose API's for your secure product info with a unique/secure/hash api token.
3. Each vendor/company request a endpoint with token for consume secure product information that is bind a client app.
4. Then create a client application and it may be for X platform (Windows/Linux/android/iOS).
5. Prepare a license activation process for one time one user. If license activate then send back to app client a api token for next request.

When user or company install this client app they must require a license key[api-token] and this license key you provide one time one user or company

So the original source code of this server is intake and no one can stolen this script & DB also.