How do I prevent my Node js code from being stolen?

Question

I need some advice. I am thinking of developing a new product using NodeJS and Express. This product should run on-premise mode. Because, Product will be information security product and will keep sensitive datas. I just want to guarantee that it takes a long time to be reversed.

So, How to protect my code from being stolen ? Or is NodeJS right choice ?

Are you have any tutorial or advice ?

Thanks and best regards..

Answer 1

If your business model and customers support the idea that your company owns and operates the hardware on which your software runs (similar to how IBM and Oracle operates) and someone of your team can be on-premise at boot time (which isn’t always convenient), your could run Node on Linux and encrypt the data using LUKS which would make it very hard for an attacker (or corporate spy) to have access to the code without elaborate hacking.

You mentioned your services being sensitive. This approach would also help mitigate data breaches as the database would also be encrypted.

Depending on your needs for reliability, the hardware doesn’t need to be expensive. You can setup a cheap software raid 1 which replicates the data and schedule encrypted backups on a small USB thump drive. If budget permits, you could also run this setup on server-grade computers which feature hardware raids, redundant power supplies and encrypted hardware VNC which would allow you to decrypt LUKS remotely (that being said, remote VNC isn’t as secure because hardware key loggers could be installed on the server without you knowing).

This hardware setup can cost only a few hundred dollars per client and it would make your service feel more "enterprise" and guarantee you code cannot be tampered with.

Answer 2

Plan A :

1. Prepare a self hosted Node and DB server.
2. Then expose API's for your secure product info with a unique/secure/hash api token.
3. Each vendor/company request a endpoint with token for consume secure product information that is bind a client app.
4. Then create a client application and it may be for X platform (Windows/Linux/android/iOS).
5. Prepare a license activation process for one time one user. If license activate then send back to app client a api token for next request.

When user or company install this client app they must require a license key[api-token] and this license key you provide one time one user or company

So the original source code of this server is intake and no one can stolen this script & DB also.

Answer 3

If you are distributing the server software so that your customer can run the server themselves on premise, then you simply cannot protect your server source code. If node.js can run it, then anyone at your customer's site who has physical access to the server can also see the source code.

With proper protections enabled by your customer, your server source code would not be available the the outside world, but you'd have to rely on your customer installing and securing things correctly for that to be the case.

You can obfuscate your source code before distributing it. This type of obfuscation that renames all variables to give them meaningless names is not a real form of security at all, but it does make reverse engineering to understand what your code does more work (potentially deterring some people from putting in the extra work), but it does not prevent reverse engineering from a determined hacker.

If you have a relatively small number of secret sauce things you're trying to protect then a determined hacker can plow through the extra work of the obfuscation and still get to your algorithms.

In the end, the only real way to fully protect the internals of your work is not distribute your source code (no matter the language or environment) and to run a service and have the customer access your service. Even with a fully compiled language (with no source code distribution) like C++, a determined hacker can still reverse engineer critical algorithms or credentials.

If the customer will only accept servers that they purchase and run on their premises, then my guess is that you're over-thinking this reverse engineering issue. Anything you try do other than obfuscation is going to complicate your product and sale and make you sell significantly less while not really preventing the determined hacker anyway.