Leonardo
Leonardo

Reputation: 2363

Do you know a way to protect the JS code and make it visible only if requested by the remote?

Theoretically JS runs in the browser, then after the first download can be easily copied and made to run directly from the local, without going through the remote server. Because I need to sell an application * js (pay-as-you-use) I need to check each request and make it available ONLY if required by that particular site and, of course, only if he paid.

Upvotes: 4

Views: 225

Answers (4)

brymck
brymck

Reputation: 7663

It may be a little more trouble than it's worth. Yes, you could require clients to provide a token and whitelist certain domains, etc. But they can still open any site that uses that particular JavaScript -- even someone else's -- and just Save As... .

A better bet is controlling the script's interaction with your server. If it makes any AJAX calls a server you control, then take that chance to authenticate. If it doesn't depend on data from you in that way, I think you'll just have to face the problem that anyone dedicated enough will be able to download your script and will be able to use it with a little bit of playing around.

Your best bet is, in addition to the above, keep track of domains that have paid and search every once in a while to find if anyone's taking your code.

Upvotes: 0

Steve Claridge
Steve Claridge

Reputation: 11100

I wouldn't make the JS file that you plan to sell available directly on a URL like

yourdomain.com/yourfile.js

I would offer it on a URL like

yourdomain.com/getfile

Where /getfile is a URL that is processed by a PHP/Java etc server-side language where you can check whatever credentials you need to check, be it requesting domain name, IP address, some token or something else.

Upvotes: 5

Alexander Gessler
Alexander Gessler

Reputation: 46697

It doesn't work. As soon as someone downloaded a copy of the JavaScript file, he or she can always save a copy of it and even redistribute it.

Thus you cannot protect the JavaScript itself - but assuming you rely on some client-server interaction (i.e. AJAX), the server would not respond to requests coming from non-authorized sources, thus rendering the client-side worthless.

If you need to protect your business logic, don't put it into JavaScript. Alternatively, sue everybody who uses your scripts without having obtained a license (not sure if this is practical, though ...).

Upvotes: 5

rascio
rascio

Reputation: 9289

if your application is made in java you can use a ServletFilter to check if the request is valid (if the IP is correct, or maybe you can use a ticket like the facebook, twitter, whatyouwant rest API), and if isn't valid don't show nothing

if you aren't using java I think that something similar can be made with every programming language

Upvotes: 1

Related Questions