Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
I am building a web application for a company so they can test the app on a control group of people to see if they would like to try funding the app. Funding beforehand is not an option, however I would like to keep the code somewhat private, so that someone from an IT team can't just easily download all the app files and claim it as theirs. I have researched a little but also found little on what can be done to protect the files for the app which are written in javascript, html, css, ect. basic web development languages. i was just curious if anyone knew of a way to somehow protect these files if it is even possible. I'm not against sharing my code, however for a business opportunity I prefer that it remain private for the time being.
This question has been answered before: How can I obfuscate (protect) JavaScript?
But anyway, here's my take on the question:
You don't need to protect your HTML/CSS code, unless that aspect of the app is what is so proprietary. If that is so, obfuscate your code (there are many websites online that will do this for you).
From the information you gave me, I can infer that it's not the styling or the UI you want to protect, it's the application's logic. In that case, you can obfuscate and then minify the JS code such that it's very hard to deconstruct (although some web browsers do pretty-print the code). To see an example of this, go to Google, open the dev tools, and look at any JS file under the Sources.
I also saw another interpretation to your question. If you meant "to protect the application from being downloaded and then reuploaded", that sadly isn't possible with web apps (unless you explicitly check the domain that the app is running on and restrict the app from running on domains other than yours).
An implementation of the domain-protection would look something like this:
if (window.location.hostname !== "yourwebsite.com") {
alert("Invalid domain, redirecting to official app...");
document.location = "http://www.yourwebsite.com/app/";
}
After adding this protection, you can stop it from being removed by minifying and obfuscating the JS code.
For the css and Js a lot of people use minification. This makes your code really hard to read and finding the business logic in your code. As for the HTML you could uglify it. There is no real way to hide HTML,CSS, JS in your browser because the browser dev tools would reveal all of the code. There are only ways to make it unreadable.
JS minification tool : https://javascript-minifier.com/
Css minification tool : https://cssminifier.com/
https://developers.google.com/speed/docs/insights/MinifyResources
Related
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 3 years ago.
Improve this question
I was talking to someone that was saying that frameworks like Angular, Vue, or React
have a big drawback: except the API part (the interaction with the DB on the server), all the other code is visible from the frontend, so anyone can steal your app.
This is a fundamental fact of writing rich client-side behavior, it's nothing to do with the frameworks. It's to do with having client-side logic. The same issue exists for sites that use, for instance, jQuery, or that manipulate the DOM directly. The primary protection of your work isn't obscurity (hiding your code), it's copyright law.
The fact that the code is client-side has several ramifications:
Regardless of any rich behavior you implement on the client, you must validate all actions and inputs on the server as well.
If there are business processes or calculations or similar that are trade secrets or proprietary, you must not implement them client-side, because whether you obfuscate the code or not, it is visible and can be seen by others.
And yes, it means that anyone can steal the client-side parts of your application. The only thing preventing that is your copyright.
But again, that has nothing to do with the frameworks. It has to do with implementing part of your app client-side.
A side note about frameworks: It's becoming more and more popular to enable server-side rendering (SSR) of code written for frameworks like Vue.js, React, Svelte, etc. So using one of these frameworks doesn't necessarily mean you're writing client-side code: You could use it only for server-side rendering.
There is one interesting thing that's happened recently that's potentially making it much harder to reverse-engineer client-side code, though: WebAssembly. With WebAssembly, what's delivered to the client isn't JavaScript code, it's WebAssembly bytecode. Like Java bytecode, you can reassemble source code from bytecode, but it's a very messy process and the results are very hard to use. So, like really thorough obfuscation, it raises the bar, makes it harder for someone to take your work and reuse it. But it only raises the bar, it doesn't prevent it. (This is a side benefit of WebAssembly, not at all its main point. The great thing about WebAssembly is that it can be the output of compiling any number of other languages, including C, C++, Rust...)
JavaScript codes are compact and dirty .
This makes access to the source code difficult and sometimes impossible
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
I'm a newbie developing a small web application that uses HTML, JavaScript (Angular 1.5.0) & CSS. I am using Grunt to process, jslint, minify my javascript and CSS files. This front-end communicates via HTTP Rest calls to a Django application that is also running locally (which has its own database)
This webapp currently lives only on my laptop (MacBook Pro) and I use the PyCharm IDE to edit the files. When I want to test out the app, I simply go to http://localhost:63342/myapp/index.html#. PyCharm's built-in webserver serves it up for me and I can play with it there.
However, I want to allow a select few people to also access the webapp from other locations on the internet. When they try to access http://MyPublicIpAddress:63342/myapp/index.html, they get connection denied.
What is the quickest/easiest/simplest way I can share my webapp with those other people? I do not know much about setting up and configuring Webservers, so if you can give me the simple/easy instructions (or point me to a doc!) that would be most appreciated.
I posted this question to the PyCharm community forum here, but got no response.
Edit
Many answers say I need hosting service. Yes, If I want to deploy my website to a fixed IP address. But is there no way to simply allow them to briefly visit my webapp while temporarily running a toy web-server on my laptop? This is not a long-term solution I understand. But just to give them a peek. If possible I would like to avoid the effort and learning-curve involved in pushing it to a hosting service. I would have to setup the back-end API, database, etc (which are all currently running locally)
There's many services that allow you to host your project online.
For small projects
CodePen: http://codepen.io/
Plunker: http://plnkr.co/
kodeWeave: http://kodeweave.sourceforge.net/
For large projects
Cloud9IDE: https://c9.io/
Koding: http://koding.com/
Github: https://pages.github.com/
Sourceforge: https://sourceforge.net/
Heroku: https://www.heroku.com/
BTW: kodeWeave is my project. It uses Github Gists to save and retrieve your weaves online, thus is not actually saved on the site plus it's a very reliable host when it comes to small projects like it is. (Inspiration from Dabblet.)
It's being made kind of as a JSFiddle alternative for mobile devices, except without all the http requests.
It has many libraries built in (Such as JQuery, Angular, Font Awesome, etc:) in addition when you export as a zip file you will get all those libraries (Hence the except without all the http requests comment). You can also export your weave as a Windows, Linux, Mac, Chrome Application, and/or as a Chrome popup extension.
You can watch this video I made that explains how to use kodeWeave for desktop exportation.
I've listed services I use and recommend. I will not list something I haven't tried without warning.
If you have a spare laptop you can use that as a web server. I've never done it myself because it's not worth the this for me. However something you may want to look into
Lastly you can read Creating a Local Server Configuration with PyCharm which maybe the option you're looking for.
Use localtunnel to expose your localhost- https://github.com/localtunnel/localtunnel
You need hosting, or try codepen.io for small project.
Change the configuration in PyCharm to host at 0.0.0.0. You will also need to port forward your router... I would strongly suggest not using this as any sort of long, medium or short term solution.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 7 years ago.
Improve this question
I'm a C# developer, and use XAML for user interfaces. Lately I've been wondering something regarding HTML5+JavaScript development (used in Universal Windows App development, as well as for websites). Javascript is compiled and executed at run-time on the client device. So any user can go into the folder where they're stored on computer, and see all the code in it, right?
There is no unreadable alternative for js and html5. That's why so many websites are so slow in adopting html5 video and replacing adobe flash.
But if your entire application is client side and you worry about your code being stolen you're doing something wrong. Almost any application requires serverside code that isn't accessible.
And it doesn't matter anyway, who cares about some js that makes a div draggable or moves some html around.
I dont think readable javascript code is of any value...what matters is the server side code like php or ASP which really matters in the security of the websites
And even if the developer didnt want the user to read the javascript framework.. what option does he/she have to prevent it..?none!
The client side code is indeed visible by the client. If something is available client side, then you won't need a round trip to the server to get it.
For example you could imagine a simple calculator application. You could write it client-side, in Javascript, the app can ouptut the calculations immediately. Or you could write it server-side (in wathever language you want), which means you need to ask the server for the calculation (with an ajax request probably), and wait for it to respond.
Also some things doesn't make sense on the server-side. Pretty much any action that changes the DOM, which only exists client-side, in the browser.
I wrote about this on my blog a while back, see Protecting Your Code,
as an addendum to my free ebook, Programming Windows Store Apps with HTML, CSS, and JavaScript, 2nd Edition.
The short of it is that JS code it not protected, though you can make things a little more difficult with minification/uglification like many website authors do. You can also take steps by putting some of the code you care about into Windows Runtime Components written in C++ (C# can be decompiled). The only really secure solution is to have code on a server, and draw from that in an app which of course doesn't work for all cases, but is an option.
Note that some of my comments in that blog from 3 years ago might be a little dated. I believe that current Windows Store policy now allows you to load code from a remote server at run time.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 5 years ago.
Improve this question
I have found many similar questions but nothing identical to what I am asking. I am building an app using Phonegap.
It seems that Apple allow apps that request external JS (people using Google Maps and so on), So basically by using a <script> tag in the header and referencing the external js file. My problem is that I want to do something similar but via code, so using jquery getScript.
The functionality all works, but my only worry is that apple say you cannot download code to your app. Surely having a script tag in the header of the app referencing external javascript is exactly that, downloading javascript to the app.
Its basically, exactly the same in my opinion, no matter how you grab the javascript, it's still technically 'downloading' code.
Anybody know the true answer to this, if not, how do I find out? Even if the app was approved, there is nothing to stop me building 20 apps with this code just to find in future that I was lucky and they take them all down.
there are mixed opinions about it. some developers have been given a hard time for approval of the app when using phone gap. i personally prefer not to use it. here is a link to a discussion that has the opinion of many developers.
http://www.linkedin.com/groups/Anyone-uses-PhoneGap-on-iOS-72283.S.106288557
https://devforums.apple.com/message/513221
as i said there are mixed opinions about it. using phonegap does not prevent your app from being approved, but it is clearly mentioned in the doc's that apps that download codes will be rejected. according to apple there is no issue with having javascript codes inside the app but you cannot execute a set of code to download the script into the app from outside. it has to be inside your app. i hope this makes sense to you. but all in all if you are building an app that downloads codes it will be rejected, if you are building an app that has the script inside it and downloads the dialogue ( like Facebook) related to it, no problem.
apple doesn't allow you to load code later on.
Exceptions are part of every rule but the general opionen about this is clear and I wouldn't rely on that
The spirit of this 'guideline' is to ensure the functionality of the app doesn't change in any significant way after Apple's approval. Apple is even locking down ability to change screenshot after approval. This more for security, still the goal is the same. To consistently present the functionality of your app.
Inferring from the title of your question , are you are using <script> or getScript to ensure latest version to the device, as opposed to packaging the app and updating the app?
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 3 years ago.
Improve this question
I have a method I'm testing right now for hiding javascript so that the user can't go around searching for it in the source files.
The method is this:
You have a bunch of javascript files included to make your application work. Libraries like jQuery, dojo, and your own code. This is pretty standard.
There is one critical piece of javascript code without which the app will not function, nor will any curious user be able to make heads or tails of the app without it. This critical piece does not get loaded by script tags. Instead, a small unobtrusive script calls to a database and returns the javascript in a big long string.
This string gets eval()-ed to make it live code. But the code was dynamically generated, so it won't show up if the user is looking through the source code or saves the website. Furthermore, you can add some kind of a salt or time-stamp to prevent users from trying to trick the database into revealing your javascript kernel.
I'm trying to get feedback on this from the community, and most of the examples I've turned up for hiding javascript with server-side code has just been people wanting to to include a .php file in the tags instead of .js. This is totally different.
So there you have it. Is this a good idea? What are the weaknesses?
eval() is generally frowned upon, but regardless, the big weakness is that I can simply sniff the HTTP requests and get your script. Obfuscation can make this more inconvenient, but with a good debugger its not that hard to follow a stack trace and get a good idea of what is occurring.
Even if the resource is transferred over SSL, it can be perused/manipulated once it has been loaded by the browser. To test this, I went to a secure website and examined a raw TCP response (both synchronous and asynchronous using XML HTTP) using SmartSniff. As expected, it's encrypted and unreadable. However, the same requests are all visible as plain text in Chrome's network activity inspector.
It's trivial to make Javascript code unreadable by humans (and even highly resistant to reverse engineering) - and you don't need to hide it in a of of other code. But why? Generically, the name given to this kind of code is malware.