How to prevent your JavaScript code from being sto

2019-01-02 18:05发布

问题:

I know its impossible for 100% protection, but something high or that works for majority of the users.

For instance, I encountered a site where viewing the current page's source returned nothing.

In another case, accessing or trying to download the .js files itself from browser

http://gget.com/somesecret.js,

would redirect you and stuff.

If you obfuscate your code, will it be very very difficult to decode it? if so that is also another good solution (what software is recommended) ?

回答1:

You could obfuscate your Javascript. There are a lot of tools to do that in the wild, e.g. http://www.javascriptobfuscator.com/. However it does not prevent anyone to see the code, but makes it harder to read.



回答2:

It's simply not possible.

For a visitor's browser to be able to execute the script, they have to be able to download it. Not matter what trickery you try to pull with JS, server permissions etc., at the end of the day they can always just wget http://example.com/yourcoolscript.js. And even if they can't (e.g. you require "secret" headers for that request) that would likely inhibit the behaviour of most browsers, while not stopping a determined person from looking anyway.

Fundamentally, because JS is executed client-side, the client must have access to the "original" JS file.

One minor thing you can do is obfuscation, which can help a little bit. But since JS is interpreted, it's also its own deobfuscator - see one of my earlier answers for an example.

Basically - "if you build it, they will look". :-)



回答3:

There are two kinds of user: There is the large group who couldn't care less. No need to protect against them.

Then, there is the group who really wants to see how you did it. There is no way to protect against them. They have all the tools and the knowledge to circumvent any protection you could come up with. You could use obfuscation but that's going to cost you money and time, so in the end, you can only lose.

Create a great product plus offer good support and people will be willing to pay for it. Castle building didn't work well in the past (lot of effort and it took just a couple of stones to tear them down) and it surely doesn't work today.

If you're afraid that your ideas are going to be stolen, then look for a new job, because they will be and there's nothing you can do.



回答4:

If you have big secrets, keep them on the server.

Then bundle all your JS files in one file, that you obfuscate.
This should prevent many people to go further, and as well reduce size and http calls.
But this won't stop the real bad guy if any.

We're building a JS heavy app and cured this paranoia long time ago.
If fact, we did the opposite.

As nothing can be protected, why not open source useful parts and get feedback from other people?
Try it, you won't be disappointed.



回答5:

One idea is to use websockets to serve javascript files to the browser through a socket.listener and running with eval. That way, it's very very very difficult for anyone to see the actual "source", since the connection of the socket has been already closed.

There is another amazing tactic which can be seen on the homepage of http://samy.pl, which uses spaces (\u0020) and tabs (\u0009) as a byte cipher to hide JS code!

If you view the source, you can only see 1 line of actual JS code: http://pastebin.com/e0pqJ8sB See for yourself if you can figure out how it works (no spoilers!)

As far as obfuscators go, see http://utf-8.jp/public/jjencode.html (and/or another version)

This free obfuscator runs client-side, and produces gibberish that unminify.com and jsbeautifier can't even decode:

$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)[$.$_][$.$_];$.$($.$($.$$+"\""+$.$_$_+(![]+"")[$._$_]+$.$$$_+"\\"+$.__$+$.$$_+$._$_+$.__+"(\\\"\\"+$.__$+$.__$+$.___+$.$$$_+(![]+"")[$._$_]+(![]+"")[$._$_]+$._$+",\\"+$.$__+$.___+"\\"+$.__$+$.__$+$._$_+$.$_$_+"\\"+$.__$+$.$$_+$.$$_+$.$_$_+"\\"+$.__$+$._$_+$._$$+$.$$__+"\\"+$.__$+$.$$_+$._$_+"\\"+$.__$+$.$_$+$.__$+"\\"+$.__$+$.$$_+$.___+$.__+"\\\"\\"+$.$__+$.___+")"+"\"")())();

Original code:

alert("Hello, JavaScript")

Output from both beautifier websites:

$ = ~[];
$ = {
    ___: ++$,
    $$$$: (![] + "")[$],
    __$: ++$,
    $_$_: (![] + "")[$],
    _$_: ++$,
    $_$$: ({} + "")[$],
    $$_$: ($[$] + "")[$],
    _$$: ++$,
    $$$_: (!"" + "")[$],
    $__: ++$,
    $_$: ++$,
    $$__: ({} + "")[$],
    $$_: ++$,
    $$$: ++$,
    $___: ++$,
    $__$: ++$
};
$.$_ = ($.$_ = $ + "")[$.$_$] + ($._$ = $.$_[$.__$]) + ($.$$ = ($.$ + "")[$.__$]) + ((!$) + "")[$._$$] + ($.__ = $.$_[$.$$_]) + ($.$ = (!"" + "")[$.__$]) + ($._ = (!"" + "")[$._$_]) + $.$_[$.$_$] + $.__ + $._$ + $.$;
$.$$ = $.$ + (!"" + "")[$._$$] + $.__ + $._ + $.$ + $.$$;
$.$ = ($.___)[$.$_][$.$_];
$.$($.$($.$$ + "\"" + $.$_$_ + (![] + "")[$._$_] + $.$$$_ + "\\" + $.__$ + $.$$_ + $._$_ + $.__ + "(\\\"\\" + $.__$ + $.__$ + $.___ + $.$$$_ + (![] + "")[$._$_] + (![] + "")[$._$_] + $._$ + ",\\" + $.$__ + $.___ + "\\" + $.__$ + $.__$ + $._$_ + $.$_$_ + "\\" + $.__$ + $.$$_ + $.$$_ + $.$_$_ + "\\" + $.__$ + $._$_ + $._$$ + $.$$__ + "\\" + $.__$ + $.$$_ + $._$_ + "\\" + $.__$ + $.$_$ + $.__$ + "\\" + $.__$ + $.$$_ + $.___ + $.__ + "\\\"\\" + $.$__ + $.___ + ")" + "\"")())();

Hope this enlightens those in need!



回答6:

Especially in modern browsers, it's a complete waste of time.

I can use Firebug to see somesecret.js... as for the other I'm better if you'd scrolled down you'd see the source.

You can minify or obfuscate your code, which will make it difficult to alter (but not to take an exact copy). Minification is recommended as it will result in your page loading slightly faster.



回答7:

Don't waste your time. If a browser can download it to run it (and it can, otherwise the code is useless), a program can be written to download it and save it.

Time and time again, we've seen that technological methods to protect things like this don't work.

Do you really think that your JS code is so precious that it needs that sort of protection? Once you get it working, by all means run it through a minifier if only to speed up the download process. But as to protecting it, I would concentrate on what you do best (which I'm assuming is coding it).

If you really need to protect the code from being viewed, don't do it in client side JS. Put it on the server and just use JS to communicate with that.



回答8:

Well, if you own the server, you can deny access from referers other than your own hostname. On Apache, you can do that through .htaccess.

You can also use Dean Edwards' packer to pack your production Javascript codes.

But take note that with Firebug or other debugging tools, most people are still able to see your code through the DOM tab/inspector.



回答9:

If someone does steel your code you can sue them. Your code is copyright protected. You are like the author of a novel. If anyone stole your app or any part of your code they would be guilty of plagiarism.



回答10:

One thing you CAN do is to circumvent javascript altogether -- write the client-side logic in an equally or more competent language (for which you can find a javascript compiler) and compile it to javascript in the end. (This probably obfuscates the code too well)



标签: