How to prevent your JavaScript code from being stolen, copied, and viewed? [closed]

by

It’s simply not possible.

For a visitor’s browser to be able to execute the script, they have to be able to download it. Not matter what trickery you try to pull with JS, server permissions etc., at the end of the day they can always just wget http://example.com/yourcoolscript.js. And even if they can’t (e.g. you require “secret” headers for that request) that would likely inhibit the behaviour of most browsers, while not stopping a determined person from looking anyway.

Fundamentally, because JS is executed client-side, the client must have access to the “original” JS file.

One minor thing you can do is obfuscation, which can help a little bit. But since JS is interpreted, it’s also its own deobfuscator – see one of my earlier answers for an example.

Basically – “if you build it, they will look”. 🙂

More Related Contents:

  1. How to secure javascript code from being run on other domain (stolen) ? need more ideas
  2. Why does Google prepend while(1); to their JSON responses?
  3. Why is using the JavaScript eval function a bad idea?
  4. SecurityError: Blocked a frame with origin from accessing a cross-origin frame
  5. JavaScript: client-side vs. server-side validation
  6. Sanitize/Rewrite HTML on the Client Side
  7. How does Content Security Policy (CSP) work?
  8. Detecting if a browser is using Private Browsing mode
  9. How to read a HttpOnly cookie using JavaScript
  10. What are “top level JSON arrays” and why are they a security risk?
  11. Where to save a JWT in a browser-based application and how to use it
  12. Cross-site AJAX requests
  13. Unsafe JavaScript attempt to access frame in Google Chrome
  14. Is Javascript eval() so dangerous? [duplicate]
  15. Secure distribution of NodeJS applications
  16. What are the AES parameters used and steps performed internally by crypto-js while encrypting a message with a password?
  17. JSON security best practices?
  18. Security Issues for allowing users to add own JavaScript to your site?
  19. How to prevent html/JavaScript code modification
  20. CSRF protection with CORS Origin header vs. CSRF token
  21. Safe value must use [property]=binding after bypass security with DomSanitizer
  22. Check if a file exists locally using JavaScript only
  23. Web application access user’s file system
  24. How to secure the JavaScript API Access Token?
  25. Exploiting JavaScript’s eval() method
  26. Why is “javascript:” pseudo-protocol stripped from URL bar when pasted?
  27. Adding X-CSRF-Token header globally to all instances of XMLHttpRequest();
  28. What makes an input vulnerable to XSS?
  29. Javascript – key / certificate from USB Token
  30. Embedding youtube video “Refused to display document because display forbidden by X-Frame-Options”

Leave a Comment