ImprovedSource - Protecting Your JavaScript Source Code

Protecting Your JavaScript Source Code
by Cory Rauch 2006-10-09 Category: JavaScript

You just spent weeks writing a master piece of a JavaScript Class only to find the following week it ripped from your site and posted on competitors sites. Even worse your competitor claims it as there own code, advertising it as such. As web applications become more common this scenario is becoming more common.

Is there any solution? There are many companies offering applications that rename variables and functions names, remove comments, and remove white spaces. And this does makes it harder to read your javascript source code but not impossible. These types of changes can be reversed and unfortunately there exists applications to automate the task of putting back those renamed variables name and function. Because of this it is not an ideal solution, but maybe able to thwart some. Others take it a step further by then escaping the source code, then at runtime unescape the source before executing it. This again can be easily reversed, and also make your javascript file larger.

A new take on the problem. We have created a solution that addresses this issue without the problem associated with other solutions. This solution protects your source code by first making it unreadable by splitting it into fragments, and randomly mixing these fragments up. Each fragment then is placed in a chain that can be only read in order by starting at the correct location in the chain. If start an incorrect location is given the source code return is just a garbled mess. The script then is packaged with another script that contacts immediately back to the web server to get the correct starting location, then it puts your source code back together from the chain. The chain and starting location is rotated on every request so that they are different everytime your website or script is loaded. And the web server script that answers with the correct starting location will only give the client script under 1 second time window to respond back to get the correct location, before wiping this information from memory. This method is both fast and very secure, and seperates the method to decode from the source code transferred to web page. It also only adds small overhead to your scripts size that is negligible in most cases.

What are the limitations. This solution uses a cookie based session management so a cookie needs to be created to work. Also the javascript code when put back together will launch a start up call. So instead of have you code execute lets say at page load or in the body of the web sites html, you will need to put it in this startup function. So the page would have to be modified to work with the encoded Javascript. And also no solution is a 100% secure when dealing with parsed languages, and this is not either. It will though make it very very hard to crack with alot of time and effort needed to code a solution to automate capturing the key and chain. Time and effort we think most will conclude it would be better spent on writing there own code. So think of it like a deterent to javascript source code theft.

How To Use. To use first download the below file, and set the base_url var at the top to the folder that your javascript files are located in. (This folder you will want outside of the document root of you website since you will not want any to be able to directly access the javascript files) Then instead of the usual script tags replace them with the following: <script language=''JavaScript'' src=''[path to]/encode.php?path=[javascript filename or path here]''></script>

Then place any startup or onload code in a function called Encode_JavaScript_StartUp() {}.

Download Files
Encode.php script

Other ImprovedSource Articles:
Free JavaScript Solitaire Game

[ Back ]