Protecting source code

Hi.

People will always be able to read the HTML markup and any other client-side code you send (like JavaScript and CSS). There is no real way to protect against that.

PHP on the other hand is executed on the server and is never sent to the client's browser. That in itself protects your PHP code from being viewed by the client, but the output of the PHP code (usually HTML, CSS and JavaScript) will be visible to your clients.

So then basically doing what I suggested wouldn't have any desirable effect?

So then basically doing what I suggested wouldn't have any desirable effect?

If I am understanding you correctly, that you are trying to hide the HTML markup and the client-side scripts from being viewed, then no, it would not have the effect you wanted.

The simple reality is that the HTML and client-side scripts need to be visible to the client so that it can be read and displayed by the browsers.

Is there any particular reason why you don't want your client-side scripts to be seen?

You can't stop people viewing your code but you can disable right-click and other buttons that they could use to view your source code. so if you have a site made of frames. They can't see the individual frame sources only the frameset source, which isn't very useful to them.

That would be done in Javascript, so ask in the JavaScript forum.

Oh.. Apparently I didn't read your post very well. ;) sorry.

Is there any particular reason why you don't want your client-side scripts to be seen?

I just don't want people copying the site. A couple years ago I put up a site with some new features that wern't on any other similar sites, but within a month, everyone else had copied those features so their sites would "steal" the web traffic of people interrested in sites with those features.

I am once again adding some new features that arn't on those other sites, and I would like to make it at least a little more difficult for those other webmasters to copy my work. granted, I've got a copyright, but that's only as good as my willingness to sue. If they want those features, let them do the work I had to do.

I see. It is, unfortunately, impossible to hide the client-side code from people. Especially if they are determined to get it.

If a lot of your features are written in JavaScript or other client-side scripts, you could try re-writing some of it in PHP, making it very hard to steal. It would probably be enough to just re-write portions of it, making the JavaScript code unusable by itself.

People cannot view PHP code or other server side languages when they view your source. Neither will they be able to view javascript or CSS if they are in external documents!

You can make a php script to echo the HTML code for example:

etc..

or the same with Javascript and 'document.write'. This will effectively hide your code!!

(please correct me if I'm wrong) - that should work!

Sam

Hi Sam.

Unfortunately you are not entirely correct there.

You are correct in saying that the server-side code, PHP and such, can not be viewed, but the client-side, HTML, CSS, JavaScript, can be viewed, even if they are external.

External documents (CSS, Javascript) exist on the server and must be available to the client in order to be read and used. Which means that a client can simply view the HTML markup, find the link to the external files and view them as they would any other page.

The code you posted will print the contents of the echo statements to the HTTP Response as the page's HTML markup. So it can be viewed just as a you had requested a normal HTML page containing the same markup.

I had similar concerns as the original poster. Here is a partial solution:

Create sourcefile.htm and targetfile.htm. Be sure to add to your .htaccess so PHP can be parsed inside htm files.

Create this function inside a separate PHP file. For ease of explanation we will call our file myfunctions.php. Here is the function:
Create a FRAME or IFRAME in sourcefile.htm that targets targetfile.htm.
At the very top of targetfile.htm place this PHP code:
Follow this PHP code with any mark up for targetfile.htm.

What this function nosee() does is use the PHP function strpos() to check if the referring page server variable contains the site's domain name. This condition will only be true if another page on the site "calls" the page like is the case in using a FRAME or IFRAME. Hence, the content of targetfile.htm will appear in the FRAME or IFRAME of sourcefile.htm.

If someone tried to access targetfile.htm directly then the referrer page variable will not be set. Nextm, $pos variable will evaluate to false. Lastly, the If conditional of the nosee() function will evaluate to true (i.e. $pos equals exactly false) immediately printing I hope this helps. But be warned. I am not a pro and only dabble with web design and PHP scripting. So I don't know what I don't know. For all I know this method I outlined could have been defeated a long time ago. Second I can not get it to work on external CSS files. Also, using this method may cause usability and search engine problems. So use at your own risk.

If someone tried to access targetfile.htm directly then the referrer page variable will not be set.

This would exclude all visitors coming directly from, for example, Google. Or any link outside of your site. This is, in general, not what anybody would ever want to use on their site. Ever.

As a matter of fact spiders wouldn't necessarily set the referrer to be anything on your site so it'd look to spiders like your whole site contains nothing but the error page text.

The referrer string is sent by the user agent at their discretion. It can say whatever they want it to say. It can't be relied on completely, though it may be accurate in most cases.

As to the OP's problem, I'd say you just have to move faster than the competition. Competitors who want your client-side code will get it easily and disabling right-click for the 99.99% of visitors who aren't copying your site will tick them off. The only consolation I can offer is that you probably learned a thing or two from viewing other site's source as well.

I just don't want people copying the site. A couple years ago I put up a site with some new features that wern't on any other similar sites, but within a month, everyone else had copied those features so their sites would "steal" the web traffic of people interrested in sites with those features.

I am once again adding some new features that arn't on those other sites, and I would like to make it at least a little more difficult for those other webmasters to copy my work.

You implemented "new features" on a web site a couple years ago and you don't know the basics of JavaScript and PHP? Forgive me if that raises my eyebrows.

Listen, if you ever implement a "feature" on a web page that's worth stealing, there is absolutely NOTHING you can do to prevent others from stealing it. The reason is that the browsers need to be able to get the code and read it - JUST LIKE HUMANS.

Yes, you can make this more difficult by hiding your coolness in JavaScript and obfuscating it (like Google does), but this won't prevent anyone dedicated enough from hacking your site within a week.

You could make it really annoying to read, like put it all on one line or something. That way if they steal it you get the gratification of knowing they went through a big hassle, if nothing else.

So is our best protection to make everything so much of a hasle that the hacker will find an easier target?

I can acomplish what I want as far as security goes without distributing code, however It cost me money handling post backs just to run scripts that could be handled on the client side.

what a long thread

its very simple as the last and first guys said
if the browser can "read" it so can we!
makeing the code congested (try to view google js page its art) and with complicated vars i belive is the best way, at least if someone "steal" it u know he spend a few hours to understand what you did in days of work
se la vi

i have an insanely long solution, and when i say insanely long i mean it'll take 2 posts to get the whole code in, but most of it is just copy/paste into an include, and the rest is pure genuis.

People can't see server side html, right?

Nor can they see the source for data added AFTEER the page has loaded (Eg: document.getElementById.innerHTML="DSFSD";)

So i compiled my brains with ajax and sajax and php and made this:

Page loads -> Requests AJAX -> Runs PHP in bg -> PHP returns to ajax the hidden content -> AJAX rewrites the content of the target with the data to be hidden -> Hacker looks at source -> sees ORIGIONAL html, NOT updated html -> Pulls out hair -> Origional webmaster enjoys a safe code -> TSDN has to deal with a huge post -> Then someone kills me because i made a long list.

ok

thats it in a nutshell

tell me if your interested.

i have an insanely long solution, and when i say insanely long i mean it'll take 2 posts to get the whole code in, but most of it is just copy/paste into an include, and the rest is pure genuis.

People can't see server side html, right?

Nor can they see the source for data added AFTEER the page has loaded (Eg: document.getElementById.innerHTML="DSFSD";)

So i compiled my brains with ajax and sajax and php and made this:

Page loads -> Requests AJAX -> Runs PHP in bg -> PHP returns to ajax the hidden content -> AJAX rewrites the content of the target with the data to be hidden -> Hacker looks at source -> sees ORIGIONAL html, NOT updated html -> Pulls out hair -> Origional webmaster enjoys a safe code -> TSDN has to deal with a huge post -> Then someone kills me because i made a long list.

ok

thats it in a nutshell

tell me if your interested.

ummm what about the traffic? every refresh u use the server...
and for another issue that i want to be sure about
when u use ajax, and say generate a table or any other object.. other js function dont know this object id so i dont think its the right way to protect your code ( can someone currect me if i am wornge about the object id of html code returning from ajax cant be read from js function)

One way or another they will get your source code.

the internet, whether you like it or not, is pretty much open source, and i'm doubtful that you've never nicked a bit of code from someones site before. c'mon.. haven't you? Anybody?

Markus, the 'copy and paste kid', n00b!

One way or another they will get your source code.

the internet, whether you like it or not, is pretty much open source, and i'm doubtful that you've never nicked a bit of code from someones site before. c'mon.. haven't you? Anybody?

Markus, the 'copy and paste kid', n00b!

nevrer took a code from a website im not supposed to, though i must admit i used some 'other' websites to obtain JS during my learning years, but now i write it myself.

i try to avoid every chance of copyright violation.

hi ...

may be someone is interested in this article ... another try to hide javascript-code ... and in any case: since the code is to be delivered to the client and the browser must read it ... there is no chance to hide it reliably even when you could make it harder to do! ... the simplest way i could imagine is to install the firebug-extension to firefox and have a look at everything i'm interested in ... it even shows the ajax-requests and the raw-response from there so even with that you couldn't hide something in a reliable way ... and in my opinion: you simply shouldn't try ... when you don't want someone to reuse your code ... then simply don't publish it. minify the code could make a sense for traffic but obfuscating/encode it ... whatfor? it just produces additional decoding operations ... and hurts performance ... my personal opinion is: just leave the code open source and let everybody see it ... format it in a useable way so that others could learn from it ... leave a comment about copyright or whatever in the script and i guess the 're-users' will leave it there ... simply let everybody read/reuse your code :) ...

kind regards

Did you put a copyright notice on the page?

If not, I suggest you do so.

You have legal remedies for copyright infringment, and violations of Intelectual property.

It is illegal to copy web pages, pictures from web pages, or steal "business processes or methods".

You will find however that most people stealing web site content, and layout are from outside the US and difficult to serve.

outside of that, there is little you can do to "prevent" transmissions from reaching a client, while also "allowing" said transmissions to reach a client.

Until someone builds a web browser that supports hidden code execution, and encrypted script transport.

I haven't seen one example that i could not circumvent in a matter of minutes. There is not likely to be one that is ever "fullproof".

Did you put a copyright notice on the page?

If not, I suggest you do so.

You have legal remedies for copyright infringment, and violations of Intelectual property.

It is illegal to copy web pages, pictures from web pages, or steal "business processes or methods".

You will find however that most people stealing web site content, and layout are from outside the US and difficult to serve.

outside of that, there is little you can do to "prevent" transmissions from reaching a client, while also "allowing" said transmissions to reach a client.

Until someone builds a web browser that supports hidden code execution, and encrypted script transport.

I haven't seen one example that i could not circumvent in a matter of minutes. There is not likely to be one that is ever "fullproof".

The thing with the copyright notice is that the person who uses it will just change your name to their's and change the date or whatever.

Just out of interest if you just use external js pages, can't you just add a .htaccess file with this in it:

then they will get a forbidden message when they try to view it. Would that work? I can't see why it wouldn't stop them.

Sam

Just out of interest if you just use external js pages, can't you just add a .htaccess file with this in it:

Expand|Select|Wrap|Line Numbers

1. <FILES scripts.js>
2. order allow, deny
3. deny from all
4. </FILES>
5.  

then they will get a forbidden message when they try to view it. Would that work? I can't see why it wouldn't stop them.

Sam

This would in fact stop them, but it would also stop your browser from being able to read it.
A browser requests javascript files just as they do HTML files.

The simple fact is, people WILL be able to steal any and all client-side code no matter how you try to hide it.
If you want a browser to be able to read your client-side code, it MUST be available to the public. There is no cheating this fact.

AJAX won't hide your code, as it is simply a second HTTP request within a client-side script. The URL your AJAX call requests can be used just as any other URL's can be used.

Creating complex and confusing code in an attempt to alienate potential thieves may work, but it will also make it complex and confusing to you.

The only way to avoid getting your code stolen is to use server-side code that is hidden from the public.

Uuuuuuuuuuuuuuuuh!

What an exhausting read to get the bottom of this post! Atli is surely right. One of the fundamental drawbacks of JavaScript is that its out there at the mercy of the browser and the browser's owner!
So here we have a balance to try to strike: to get those extra functionalities and perks, you must 'risk' laying out your codes out there!
Come to think of it, original poster aren't you a little stingy? 'Cause a major concern for keeping code private is security. Yours is competition.
Anyhow, as they say in my country: No mind me jare! Maybe you'll soon breakthrough on this issue, and we'd all come away with our codes, box, lock and key.
Regards,
Ifedi.