September 08, 2014

Full-stack JavaScript Source Code Protection

by Pedro Fortuna

Good news for the Node.js aficionados! JScrambler now officially supports protecting the source of Node.js apps. If you have been paying attention, Node.js has undoubtedly been on the rise. Perhaps you are already using it! In the last two years, we have received numerous requests from Node.js developers to support Node.js obfuscation. Woohoo! We are now delivering.

Developing support for Node.js was fun and had quite an impact on our development team. Basically, after getting our knees deep in Node.js development, we decided to switch from PHP + Zend to Node.js. Node.js brings tons of advantages. We are not going into that, there are numerous posts on it. Check for instance this cool post from the PayPal team when they decided to migrate to Node.js.

Now we are happy to announce that JScrambler is the first Full-stack JavaScript source code protection in the market. We already supported protecting client-side JS. Now, all source code transformations work with Node.js too. To support Node.js, one of the necessary steps was to work on the source code transformations that injected DOM objects in the protected code e.g. window. The exception being Domain Lock, Browser and OS lock – these source code transformations are meant to the client side code only and do not make sense on the backend code. When you select the Node.js application mode, these transformations will be unavailable.

JScrambler 3.6 Full-stack JavaScript protection solution

JScrambler 3.6 now supports Node.js source code protection

Of course, not everyone will feel the need to protect Node.js apps, but there are scenarios where it makes sense. I’d like to mention two:

  1. You are delivering your Node.js code to others – perhaps you custom develop applications for other companies. Naturally, you probably have invested in a common codebase for every customer you have to speed up the development and offer competitive prices. With time that common codebase will have a lot of time and money invested in. In that case, you may consider protecting your sources to reduce the risk of this code leaking out. Leaked code may fall in the hands of competitors, which may inspect your code to learn about your code, and perhaps some business details. Or it may encourage new competitors to open up a store in the other side of the street, without the initial investment i.e. developing your codebase. Neither they’ll want to build upon it. Most developers will react badly when they need to do something on top of a bad developer’s work. Imagine building on top of heavily obfuscated code. Existing or new competitors, protecting your code might be able to avoid you getting into IP legal disputes. Protecting your codebase will also discourage your clients from hacking your code. Be it to unlock features, or simply to pirate it, you’ll want to stop them from violating your license agreement.
  2. You deploy Node.js apps to the Cloud / shared hosting – the cloud has done immensely for the Web. You can deploy your Web Apps to a virtual server and not spend a minute worrying about server outages. However, we all felt a bit nervous about putting our code in a server you don’t know who has access to it, and how firmly the security policies are being followed. By protecting your sources, you’ll get an extra layer of security in case your code ends up being accessed by others.

In summary, by protecting your code you can reduce the risk of:

  • your code leaking out and give out details of your work to existing competitors
  • your code leaking out and be used to bootstrap new competitors
  • your code being hacked by your clients to unlock features
  • your code being leaked into the Internet and pirated
  • your license agreement being violated
  • your code being accessed by others in Cloud / shared hosting environments
  • dealing with IP legal disputes

To test the compliance of JScrambler with Node.js, we used the unit tests from the most used npm libraries, such as Express, Koa, etc. We passed all of them.

Now, if you are asking yourself where to start, first you’ll need a JScrambler account. Just register a trial account at jscrambler.com. If you are just interested in minifying or compressing your code, you may be glad to hear that JScrambler is free for that purpose. And you can use the API too. If you need the protection, you’ll have to subscribe one of the existing plans.

Grunt and Gulp integration

JScrambler 3.6 provides several resources for integration in your build process

It’s very easy to integrate JScrambler in your Node.js build environment as it already supports both Grunt and gulp. If you use neither, you can grab the Node.js API client and customise it to fit your needs. And if that still does not work for you, you can always use the API CLI executable that you can run from your scripts or from your IDE. If you use Atom.io, check out this plugin we developed. To configure any of the API clients, you basically just need to grab your API keys, and write a config.json file listing the source code transformations you want to use. It’s simple. Check all available clients here.

That’s it. If you are doing Full-stack JavaScript Web Apps, and you want to secure its code, give JScrambler a try.