Technical ways to protect SPA code in production

Question

What technical solution do you setup to have your application source code at least not wide openly distributed to the rest of the world in production ?

Some may argue this code has no big value, but having the app's object model fully documented is a real competitive disadvantage, IMO.

Any ideas, arguments, patterns you can share with us?

Edit / Precision

I must have been unclear: The idea is not to hide app from allowed users (in which case, I agree, obfuscation is largely sufficient). What I mean is to not serve the app at all while the user is not logged in.

Answer 1

You should not build your spa like its shown in some popular tutorials and videos. Don't use libs like breeze.js that expose your db entity schema and even your queries on your entity objects. Don't serve more info, data, fields, rows etc than needed for the specific view. Don't carry your business rules on to the client javascript, hide them in serverside apis, and call them via ajax and just serve the result on the client, do most of your complex validation on the serverside ajax apis do just do very basic rules on the client javascript, leave those things that give you a competitive edge behind the serverside web apis. A clever written enterprise spa that serves some line of business should ideally just be the necessary user interface with the great user experience, nothing more, no data processing or heavy calculations on the client javascript please, or anyone could steal your business.

Answer 2

In my projects, I just minify CSS and JS codes, so it doesn't include the comments on production. But hey, you're right, the code itself has no big value. I know a real programmer can recreate what I made just by looking at it - so why bother. Plus, nobody wants to re-invent the wheel. Trying to hide them will not give anything other than extra work.

So just minify them to increase performance and reduce HTTP requests. Also if you use handlebars (since Ember.js is tagged), you can pre-compile it too.

If you really want to hide everything, you can always revert to conventional server side app (like conventional php) without any javascript.

EDIT: Now I understand your question. You can make a simple page without javascript for users to login, and, when login is successful, redirect them to your ember application.

Answer 3

The best you can do is to use some sort of uglifier to just make the code harder to decipher. If the code is available to be run in a browser then it's also available to be inspected.

Answer 4

Unfortunately (or fortunately) javascript can never be completely hidden from the end user as browsers give access to inspect files that are loaded for the page. The best thing you can do is make the code hard to read by minifying it. This is a good idea even if you don't want to hide your source as it will allow the javascript file to load faster raising the performance of your website.

Minifying basically strips your file of all comments, spaces and puts everything on a continous line. It'll look similar to this

There are many different ways to minify javascript. Grunt may be one of the easiest ways that i've found. You can create a task to minify your javascript and even have it watch your file so if you save it, it will minify it into an external file each time.

In an opinion, if there was ever a reason to not have a mentality to hide your code, it would be to encourage growth in the development industry and let other people gain knowledge off your code.