

Ask HN: How do you protect your Javascript-powered WebApps? - neya

Let's say I have a web application like a drag-and-drop Website Builder or something like Google Docs. If someone chose to right click and save the page, obviously our code along with its logic gets saved too. So assume this is a paid service, if the user has the source code, then he could generate infinite number of websites with the offline copy he has. The website builder is just an example, but I'm just asking for similar applications. How do you implement protection for such scenarios?<p>Obviously, you can't stop the user from saving the source-code, but I was thinking maybe you can perform some "validation" or "tests" within the JS to see if the editor is live from the intended URL. But, I'm not sure, how would you do it, if you had a full-fledged JS powered application? Your thoughts?<p>Thanks
======
MarkR42
It is not really a problem.

If someone saves out your source code, then they can. You can put a copyright
notice on it.

If they use it on their web site without permission, they're violating
copyright. However, that isn't why it's not a problem.

All of your:

* Version history (except for public versions) * Unit tests, test plans, test data, test results * Bug trackers * Developers notes; QA engineers notes * Code maintenance manuals * Developers brains; QA engineers brains etc.

Are private, and someone leeching your content cannot obtain them.

Not to mention the fact that, if there are any server-side components, they'd
need to reimplement them.

The time it would take them to understand your code, reproduce all the missing
parts, they could just as well develop it themselves.

In fact, if they hired engineers with the calibre required to do that, the
engineers would probably WANT to implement it themselves, not rip yours off.

Do not consider that the .js files are all of your development information.
They aren't.

Additionally, the version that they leech is always going to be "behind" the
one you're developing, right?

So in the time they take to figure out how your code works and how to
integrate it with their own back-end systems, you'll have released a better
(At least hopefully better) version. So they're permanently behind you, with
an inferior product.

~~~
neya
Thank you for the insightful comment :)

~~~
Yaa101
Just wanted to add to the insightful comment, so what if another person uses a
function in that .js code to solve their problem, your ideas stay yours. Also
you can close down your IP into the server programming environment and call
that from your .js I personally think that the proper balance between close
ideas and open solutions is what spurred the web world beyond any other
programming environment.

------
jdavid
If it's a web app and it makes API requests it might be pretty hard to make
cross-domain web requests. So if your app is naturally complicated enough this
isn't an issue.

If it's like a javascript web game without much of a server component, you
could try to hide a lot of the execution of the code within in a closure.
dynamically loading the code with a script would add to this obfuscation.

in the end you are probably fine.

one final bit of obfuscation that i have always wanted to try was to load the
JS via a web-socket on a worker process. that should even hide a lot of the js
file being loaded.

if you needed to go farther some people have even done some degree of
encryption. again all of this is probably way more than you need. I've never
worried about this. if someone has the time to steal your code and work with
it you should probably hire them or go have coffee with them and ask for
feedback.

it's a great honor for someone to read and interact with your code.

------
mistercow
>Obviously, you can't stop the user from saving the source-code, but I was
thinking maybe you can perform some "validation" or "tests" within the JS to
see if the editor is live from the intended URL.

Anyone trying to steal your code would simply remove those tests. As MarkR42
said, your main protection is that your production code, by itself, just isn't
worth that much.

~~~
neya
Yep, thanks matey!

------
jtchang
Has anyone actually found really good javascript source that they actually
liked and would rip off?

I'm sure it exists but 90% of it is a mess and it would be easier to
reimplement. The other 10% is beautiful but only works if you have all the
proper server side code.

~~~
xauronx
I think it would be done fairly frequently with HTML5 games or stand alone
tools like he was talking about. If it had zero back end then it would cost
nothing for someone to just rip and host on their own site. People do it with
flash games all of the time. Throw ads on the page and get some better SEO and
you're golden.

------
qas1981
If you're concerned about code theft, you can always just use a minimizer.
That usually obfuscates your code beyond readability.

