Best practices for protecting web application source code?

Question

I am looking for best practices in how to secure/protect my web application code from being viewed/stolen/used. I am also looking into how to limit the amount of visible code ie, what should go in the server, and what in the client?

I am new to web dev so I am just learning about things like JavaScript is extremely difficult to protect.

I've read this thread how to protect jsp pages from being open source and duplicates that have been made, but these are older questions.

I was curious what approaches are good ones to take if we have to use JavaScript/jQuery? As mentioned above what kinds of logic should be on the server, what should be in the client? Does node.js do anything to stop the code from being shown or does it only serve js to the client (or do something else entirely)?

I have read up and found a few applications that seem good, but as many have said it's "impossible to 100% protect Javascript code."

https://github.com/jxcore/jxcore-release

https://jscrambler.com/en/

http://docs.sonhlab.com/protect-javascript-from-copying/

https://developers.google.com/closure/?csw=1

Are any of these good? Is jscrambler worth the money?

I am also curious what other code (besides HTML and CSS) is available for people to view on the client?

I also want to explain a little bit about the application I am trying to develop. I am in the process of developing an application that draws shapes on the screen using SVG. From there I have menu options to change the objects, ie, instead of a color, switch the element with its image that's provided. I wanted this to be fully AJAX and change instantly when the menu is clicked. I am using jQuery for everything, and reading in my data via JSON which is on my server.

Originally I was working with JSP/Servlets, but I still needed to create the data via SVG and do things with jQuery and AJAX, so I believe this would still have visible code.

I do secure my application using Apache Shiro for authentication and authorization, but I also will be setting up a guest account for people to try out the product, so that limits how much security I do have on the source code if anyone can view the trial account.

Most of my code is not in jQuery/JavaScript just the drawing of my elements. Eventually this will grow, so I am concerned overall. So I am curious, what are some best practices that one should take in order to make sure their application code is as protected as possible?

What are some best practices in regards to what code should go where (or is that based on preference? I would assume there would be some useful tips though).

Answer 1

I too landed in a similar situation. This is what finally I adopted. Basis for the decision primarily boiled down to following criteria
1. Ease of maintenance - Just because I have to protect, should not impact my development version. Also, it should be easier to release patches. Support cross platform installations and upgrades 2. Automating the process of protecting the source with Continuous Integration / deployment.
3. Time taken to decode the source code and make sense of it - Any skilled professionals would not spend huge effort in decrypting the source code as they can build one using that time. Others who spend that much time in decrypting will not have that much skill to compete with us in guiding the product roadmap.
Now coming to the answer
1. Client side protection: As the code runs in the browser and we are not interested in the log files, proven methodologies of script concatenation and obfuscation (uglify) would be good enough.

2. Server side protection: This is required only when you do a license sale or deployed in customer site as otherwise (platform as a service) you would have protected access to these files. So, when it is required, as we will also be interested in the log files too, the best option would be to go with exe. The closest that is available for NodeJS platform to create something "like" exe is EncloseJS. Here the problems are unoptimized code, tightly coupled nodejs version, etc. But, won't we normally tradeoff one for another in our architecture? The other option is JXCore. I am not able to get enough documentation on it as most of the doc links based on jxcore.com were breaking. It encrypts the source code and creates the package. We execute our nodejs app through jxcore which decrypts the code before executing it. The problem is how the encryption key is stored and retrieved at the time of decryption as they employ symmetric encryption. (I am not too sure).