
Ask HN: Can you protect your JavaScript code? - martin_hnuid
Friends of mine have seen their non-trivial code lifted right off their websites and sold by people on Fiverr as if they had written it.  I would imagine a lot of folks on Fiverr do just this:  Scour the web for the solution they are being paid to create and simply copy-and-paste it to their unsuspecting clients.<p>Say you are building a site that will make use of very heavy JS code, to the point that the code is critical to your business and you do not want it copied or stolen.  How do you protect it?  Can you protect it?<p>I can&#x27;t see much past obfuscation through minification.  How effective are these techniques?<p>One thought is to use AJAX wherever possible in order to have that code live server side.  This, of course, would result in greater server load.
======
oldandtired
Seriously, if you are wanting to protect client side js, you are closing the
barn after the horse has bolted.

Even with obfuscation, if the code is worth copying (for any reason, including
money), it will be copied. It is irrelevant if it closed or open source.

Even with it server side, any mistakes on your part and the code is available
to whoever really wants it.

Your friends would be better off finding out who was sold the code and letting
those people know where the code actually came from. Do it pleasantly and your
friends may find themselves some new customers.

The one thing they do need to be careful about is not coming across
vindictively. The potential clients may find that attitude less than
favourable. Your friends could even do reviews on the Fiverr site with
humorous comments about how good the people were at copying other peoples code
and selling it as their own. Be funny about it and let the culprits lose it.
It will pay off in the end.

I have come across others who have had their work copied and then sold. The
best way to handle this is NOT to get angry, but to use it as a means of
advertising yourself. Your work is so good that people want copy it and
pretend that it is their own work. How good a recommendation is that?

There are different ways to handle this, be inventive, be pleasant and be
smart.

~~~
martin_hnuid
I know this is a tough one. I'm trying to understand what the options might be
while fully understanding that JS is, in the end, not protectable.

Say you develop a site that offers a very specialized CAD package unique to an
industry. The entire thing has to be client side JS and it could take a year
or more to develop. Theft of code in a case like that could be catastrophic.

Frankly, I'm surprised nobody has come up with a real solution for this.

~~~
oldandtired
The problem here is that you are making a choice to use someone else's
facilities to run your system. Once you do that, you have given up the control
over what they do with it once it is on their facilities.

The first question I would ask you is why does it have to be client side? The
second is why does it have to be in javascript?

As I said above, in using javascript you have forced the horse to bolt and
then you close the barn doors.

Javascript requires you to send them the source. If you use it, then that is
the fundamental choice you are making at the outset. You cannot complain about
someone copying your source code if the choice you make is for them to have to
copy the source code to be able to use the application you have so
painstakingly built.

If you don't want them to have the source code then you give them a binary
blob that has everything appropriately encrypted.

The other point, I want to highlight is that having a copy of something is not
theft. You can only steal something when you remove it from the control of the
person you are stealing from. Not any copies, the actual object itself. These
objects can be intangible such as your reputation, but that is another
subject.

It is an unfortunate fact of our society that this very important distinction
has been lost. Theft only applies when the item being obtained is unique and
belongs to someone else.

Once you share something, whether it be code or an idea or anything else that
can be treated as an infinitely copiable, intangible object and it is copied,
it no longer is uniquely yours. Any copies that are made that are not made by
you are not morally yours, irrespective of any monopoly rights granted to you
by the reigning government over you. Governments do not deal with morally,
they dictate law, which is a completely different thing.

So in this case being discussed, you freely (irrespective of any form of
payment you might receive) have given away the source code because of the
underlying architecture you are using. If you don't want this happen then you
have to choose some other architecture for the dissemination of your
application.

As I have said elsewhere, any copies created that have not been authorised by
you under any monopoly rights that you have been given by some governing body
can be used as free advertising but you cannot cry theft as a moral
consequence.

These days, I work on free projects and so I freely give away my work. This is
the hope that when I actually need to do paid work, I'll be able to show my
previous work and they will see that I am worth having on board.

~~~
martin_hnuid
> Theft only applies when the item being obtained is unique and belongs to
> someone else. ... > Once you share something ... > Any copies that are made
> that are not made by you are not morally yours

Sorry, that's a really twisted view of reality. Let me use a hypothetical
example to illustrate this:

You hire a bunch of developers and invest a cool million dollars to develop
code for an amazing new online browser-based CAD tool. It's a membership site.
Members can use this CAD tool behind a login. The tool, which took the bulk of
one million dollars to develop is nearly all client side JS based because
that's the only choice available.

Again, it took you and your team a whole year and a million dollars. Let's
spice this up and say that you had to sell your home to raise a big chunk of
that money and have been homeless for a whole year. You've been sleeping on
friend's couches during this time.

A year and a monumental effort later you launch this site and start signing-up
free and paid users. The site is featured in all CAD-related blogs. It's going
great.

Now someone gains access to your site through one of the free promotions and
proceeds to copy 100% of your JS code. They use that to then launch a
competing site within a couple of months. They charge 1/4 of what you charge
because, after all, they just spent a few thousand dollars spinning-up their
site because they STOLE the million dollar effort you made in the form of a
CAD tool written in JS.

The code wasn't "shared". It is the operating code for an online business.
Nobody says "Hey world, I share my code code freely. Here's a pink unicorn to
go with that. Enjoy!". No, in fact, there will probably be terms of service as
well as comments within the code establishing copyright. The code isn't given
away for anyone to copy and launch their own business bypassing all of the
effort, financial and time investment. That's ludicrous.

So, your site/service goes down in flames. You have no money to bring legal
action. You can't, they are in China. It's impossible. You are broke. Lost all
your money. Lost your home and now have no business.

And, yeah, nobody wants you on their couch any more.

In what alternate reality is that not theft?

------
mattbgates
You could probably use a Javascript Obfuscater (
[http://www.danstools.com/javascript-
obfuscate/](http://www.danstools.com/javascript-obfuscate/) or
[https://javascriptobfuscator.com/Javascript-
Obfuscator.aspx](https://javascriptobfuscator.com/Javascript-Obfuscator.aspx)
) but you'll always want to make backups of your original code. There are some
that are able to obfuscate it but may not be able to reverse it. I've used it
to mask emails when my contact forms have gotten spam, but haven't used it for
massive amounts of code. However, if you are after protecting that code and
making sure no one steals it, than why not use it?

------
woranl
How about rewrite/convert the app in C++ and deliver it via WebAssembly?

~~~
martin_hnuid
That's very interesting. I wasn't familiar with this. Thanks.

------
spurlock
> Say you are building a site that will make use of very heavy JS code, to the
> point that the code is critical to your business and you do not want it
> copied or stolen. How do you protect it? Can you protect it?

There are countless obfuscation tools out there, but in the end if someone
wants your code, they can reverse it into more readable code and steal it,
using it on their website/webapp. It's the way browser engines are designed
that ensures this. JavaScript is there for the taking and is not compiled into
machine code. It's _interpreted_. So no, you can't protect it. No matter how
much you abuse the eval() function or mangle the code[1]

[1]:
[https://en.wikipedia.org/wiki/JSFuck](https://en.wikipedia.org/wiki/JSFuck)

