node.js - Code Protection?

Question

I want to use node.js in my next project, but my boss does not like that our competitors can read the source code.

Is there a way to protect the JavaScript code?

Answer 1

You could accomplish this with a NativeExtension for node

You'd have a boostrap.js file that adds a extension handler for .jse files

// register extension
require.extensions[".jse"] = function (m) {
 m.exports = MyNativeExtension.decrypt(fs.readFileSync(m.filename));
};

require("YourCode.jse");

YourCode.jse would be the encrypted version of your source code (the key for decryption wouldn't be anywhere in plain-text because the decryption process takes place in the native extension).

Now you have your NativeExtensions decrypt function transform the source back to javascript. Just have your build process create encrypted .jse versions of all your files and release those to your customers. They'd also need the native extension but now you've made it a little harder to modify your code without too much effort. You can even make the native extension call home and check license information to help prevent piracy (keep in mind this won't stop piracy, there's no solution for that).

Answer 2

Just include a license agreement and give them the source code. They might want to customize it anyway.

Answer 3

As I have just completed a huge pure Nodejs project in 80+ files I had the same problem as OP. I needed at least a minimal protection for my hard work, but it seems this very basic need had not been covered by the NPMjs OS community. Add salt to injury the JXCore package encryption system was cracked last week in a few hours so back to obfuscation...

So I created the complete solution, that handles file merging, uglifying. You have the option of leaving out specified files/folders as well from merging. These files are then copied to the new output location of the merged file and references to them are rewritten auto.

NPMjs link of node-uglifier

Github repo of of node-uglifier

PS: I would be glad if people would contribute to make it even better. This is a war between thieves and hard working coders like yourself. Lets join our forces, increase the pain of reverse engineering!

Answer 4

To be very clear, client-side Javascript (as downloaded from a remote server into a standard web browser) cannot be protected from viewing and/or modification no matter how you obfuscate it since reconstruction ("de-obfuscation") of the original source is technically trivial. (Javascript obfuscation is simply another example of the widely used security misnomer "security through obscurity".)

If you wish to use Javascript and Node.js to provide a protected "product" (which in this context is an application or service requiring installation on a server your company does not control), you cannot secure it either as the only option available to you (obfuscation) provides no such protection.

It should be noted that even if your product is provided as a binary executable that is no guarantee you can protect the intellectual property it contains as any binary can be decompiled into an understandable format. In this case, we enjoy some level of security based on the excessive resources (time/expertise) required to convert low-level machine code (as provided by decompilation) into the higher-level logic constructs used by modern programming languages. (This from one who once decompiled CP/M into an understanding of its internal design by hand. ;)

All however is not lost: if we assume that one can protect intellectual property programmatically (the jury is still out on this one), there is a way to provide a Node.js-based product in a secure fashion, but it is not for the technically unadventurous as it would require substantial refactoring of the Node.js source code (to add support for cryptographically secure libraries and remove--or otherwise protect--object reflection for your proprietary libraries.)

Answer 5

JXcore (node.js 0.11.X distro) has its own JX packaging feature that secure the source code and assets. You can even select whether that particular package can be used from other applications or not. (standalone OR library)

Let's say you have many JS etc. files and the entry point to your module is something like;

exports.doThis = function() { ...... };

if you simply call the method below and compile it to JX package, the source code will be safe.

jxcore.utils.hideMethod(exports.doThis);

this is (method hiding) would only required for the entry file since all the other sub JS files not reachable from the calling application.

You need JXcore to run JX packages.

More information is available from JXcore

Answer 6

You can use EncloseJS - compiler for node.js projects. It really compiles JavaScript to native code, and your sources are not included to binary.

Answer 7

Package your core logic into modules.. these modules can be built then run through Google's closure. You could even be able to do this as a Grunt task as part of your build process.

It's an old question but worth pointing out. Note: nothing you do will truly hide your code, but neither will anything shipped via .Net (C#) or Java for that matter. In general, simply using a tool like uglify, or closure should be enough of an obfuscation point. By being modular and using closure you can actually do a lot of optimizations that otherwise would be difficult.

Answer 8

Server side javascript code is completely closed source. No-one can read it.

Client side javascript code is completely open source. Everyone can read it.

For the latter you can do nothing but the same applies for RoR, ASP.NET, PHP, etc.

The actual server code is closed unless you publicly make it available.

If your making a library and trying to sell it as 3rd party source then it's open and can be stolen. Of course you can sue them for copyright breach.

There are various big companies like extjs which sell libraries which could be stolen that's why what they actually sell you is the code and a support service.

Most commercial projects build on node are services.

Answer 9

you can use packer for nodejs for obfuscate your script...

Answer 10

Anyone tried nexe or pkg ?

These seems like a good option. A command-line utility that compiles your Node.js application into a single executable file.

Answer 11

Check this article.

I will show you how to “truly” compile Node.js (JavaScript) code to V8 Bytecode. This allows you to hide or protect your source code in a better way than obfuscation or other not-very-efficient tricks (like encrypting your code using a secret key, which will be embedded in your app binaries, that’s why I said “truly” above).

So, using bytenode tool, you can distribute a binary version .jsc of your JavaScript files. You can also bundle all your .js files using Browserify, then compile that single file into .jsc.

Check bytenode repository on Github.

Answer 12

There is no way you can be absolutely sure that nobody will be able to read your code. You could use obfuscation or minification, which can make it significantly harder to decode your code, though. One example of an obfuscator/minifier is Google's Closure Compiler for JavaScript.

Answer 13

Pkg comes in handy.

To be sure sources aren't included in the generated output file, verify that package.json doesn't specify a license (such as "license": "ISC") that would force inclusion of sources. See https://github.com/vercel/pkg/issues/190 for details.

Answer 14

I have an idea. Protect a cpp or java application instead of js.

1. Wrap your code in an encryption format, and compile it as a utf-8 file resource.
2. Use your cpp or java application to upload the entire file to a linux pc or arm computer, make sure you have a strong password or close ssh port or disable the video port and browse the linux pc only by web.
3. There is a cpp program to decrypt the file in the linux pc.
4. Develop a webserver to controll your linux pc.

So this is much like a black box, the clients can do nothing to your code.