[method] How to protect javascript code

Discussion in 'Black Hat SEO' started by meannn, May 25, 2013.

  1. meannn

    meannn Supreme Member

    Apr 22, 2009
    Likes Received:
    Unemployed Winner
    For whatever purposes, you sometimes do not like other people to read your JavaScript code, either view source or download it.

    Usually, what you can do is to obfuscate your JavaScritp code.

    There are lots of good tools free to use, such as Google Closure Compiler and YUI Compressor. They all work very well except you will end up having issues with global variables, API methods that you wanna use externally and so on.

    So, today I'm going to talk about how I make this happen without "damaging" your JavaScript code.

    Step1: Generating unique keyst

    Frist, generate a whole bunch of random keys and add them into a database. Then, on each page load, use PHP (or any other languages) to load up an unique key from the database for later use.

    Step2: Using JavaScript to add <script> tags and remove them on load

    When a <script> tag is directly written in your HTML code, people can view souce it. And in Firefox and Chrome, when the script link is clicked in view source, browser will open a cached verision for you instead of firing a HTTP request to download another copy. So, the key we use is not going to work.
    To get around this, we can use JavaScript to add script tag to your document. This will make the script tag invisible in view source. Here comes another problem, people can still view the cached version in debugging tool such as Firebug and Chrome Develpers Too. The answer is easy, remove the script tag once it's loaded. Now, no one can see the script tag, neither in view source or debugging tool. But people can still see the code of adding/remving script tags, right? That's not a problem. When they try to copy and paste the script src and download them, they will get nothing because the key has already been used and therefore the PHP scirpt (see Step3) won't give you anything.

    An additional benefit you will get from this is that all your JavaScript code will be loaded asynchronously, which will speed up your page loading time.

    (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = 'script.php?f=xxxx.js&k=854624547'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); ga.onload = function() { ga.parentNode.removeChild(ga); }; })();
    Step3: Returning JavaScript in PHP
    Create a PHP script where all the script src is directing to. When a request is captured, you first validate the key, if it's not expired, return the JavaScript file contents and delete the key from your database.

    Note: make sure you put all your JavaScript files in a folder named randomly. So only your PHP script knows where to read them.

    function is_key_valid($key) { // check the key in your database .... .... } function deleteKey($key) { // delete the key from your database so that people can not download a script with the same key ... ... } $key = $_GET['k']; if (is_key_valid($key)) { // 1. remove the key deleteKey($key); // 2. read the file, and print out the file contents $file = $_GET['f']; // put all your JS files in thie folder so that only your PHP script knows where they are // people won't be able to figure it out by guessing $dir = '4564787894548797'; $file_contents = file_get_contents($dir . $file); if ($file_contents) { header('Content-type: text/javascript')); print $file_contents; } } else { print 'Buy me a coffee, and I will give you my script'; }
    If you have lots of JavaScripts in your website, and you don't want to include them one by one (with an unique key for each), you can consolidate all file names into a comma delimited string and send it over to PHP. In PHP, explode the string, use a loop and print all file contents in one go.

    Yes, there is always a downside. When scripts are loaded in this way, because they have a different key in "src" each time a page is hit, browser thinks they are diffrent and therefore will not cache them.

    Hope this is helpful for you.
    • Thanks Thanks x 3
  2. Ambassy


    Apr 13, 2011
    Likes Received:
    I know this thread is rather old but I just found it now.
    It's a smart system but wouldn't people be able to clearly see the javascript that is returned by the server with a tool such as Fiddler?
    Or well, of course they would seeing as it have to be returned by the server some how.