Protecting Your Scripts
Like this article? We recommend
Like this article? We recommend
Like this article? We recommend
You've worked hard on your script, and now it's time to put it on the Web. What can you do to protect it from being used and reused by others? Here are some simple options you can use to protect your work.
Protecting Your Scripts
You've worked hard on your JavaScript project and now it's time to put it on the Web. Make it live.
Make it available to others to copy.
A question often asked is "How can I protect my scripts from being copied/stolen/dissected by others?"
Here's the problem. If you are working with a programming language, such as C++, Java, or Visual Basic, the compiling process—the process that creates the executable or applet—protects your script from prying eyes and inspiration seekers. Figure 1 shows an example of what compiled code looks like.
){kind=link}
Figure 1 Compiled code.
If you work with JavaScript, you have no such protection. Because it'san interpreted language, all the code is there in plain text for anyone to lookat, take, modify, and reuse. Take a look at Figure 2, which shows a snippet ofJavaScript.
){kind=link}
Figure 2 JavaScript code. Compare this to the compiled code in Figure 1.
So what can you do? Well, before we look at what you can do, let's getsome of the myths out of the way and just run through some of the things thatyou cannot realistically do to your online script.
NOTE
The same applies to your images too, another common Web commodity that developers would like to protect.
You cannot "password protect" your scripts...unless you make the password available to everyone.
You cannot disable the visitor's ability to download Web pages.
-
You cannot prevent the visitor from looking at the source of your pages (there are ways to override the right-click that gives access to the "view source" option by using script but this is unreliable—to begin with there is a "view source" on the menu too! Figure 3 shows you an alternative way to access view source.
){kind=link}
Figure 3 An alternative way to access view source.
So, what can you do? Here are some ideas that can help you protect your intellectual property on the Web.
Don't Put It on the Web
This is the number one rule for anything on the Web...if you want to keep it absolutely safe, keep it off the Web. This might seem rather harsh, but it is realistic and is the only guaranteed way to keep your stuff safe!
Go for Java
If you're one step down on the paranoia ladder, something else you can do that's perhaps a little drastic is to forget JavaScript and create in Java. This way, you can create applets and even digitally sign them, securing your intellectual property from unauthorized dissemination. However, some uses, such as form validation, don't lend themselves well to Java.
Go for Flash
Another option available to you is to ditch JavaScript and go for Flash instead. Same limitations as Java, and possibly not as hardened against "reverse engineering".
Add the Artist's Signature to Your Work
Now, assuming that after everything we've said, you still want to use JavaScript (we really hope we've not put you off too much!), a simple step you can take that won't protect your work but may help to make sure that you get the credit you deserve at least is to place a simple notice into the script (some people call this a copyright notice but we prefer just notice).
There are three good places to place this notice:
At the beginning
At the end
In the stream of the code
A notice (or notices at regular intervals if the code is long) in the stream of the code makes a great deal of sense because it is harder to spot and makes removing them all more difficult.
Here is an example of all three forms in action:
<html>
<head>
<title>Test Page</title>
<script language="javascript">
/*
* Written by Joe Bloggs on 2001/07/20
* youremail@yourURL.com; http://www.yourURL.com
*/
function start()
{
alert("Simple script!"); // Written by Joe Bloggs on 2001/07/20
}
/*
* Written by Joe Bloggs on 2001/07/20
* youremail@yourURL.com; http://www.yourURL.com
*/
</script>
</head>
<body onLoad="start()">
</body>
</html>
Adding all three to such a short script might be overkill, but if your scripts are reasonably long, it makes more sense.
Use Absolute URLs in Your Scripts
Whenever you need to use URLs in your scripts, you can make them harder to "remodify" for use on other sites by making all the URLs it contains absolute URLS. So instead of using image1.gif, use http://www.yourURL.com/image1.gif. This will slow down anyone looking for "inspiration."
Go External!
Place your script or scripts into one (or more) external script file. This is still a plain text file, and it is still subject to the same vulnerabilities as the other forms—but they are harder to read, follow and modify. The more you use (within reason), the better the protection will be.
Make Your Script Hard to Follow
Why comment a script on the Web? Who are those comments for? Strip out the comments (apart from the notices mentioned earlier) from your scripts before making them live—you can always keep a commented copy for your own use.
Encode Your Scripts
If you are creating script for an Internet-Explorer-5-or-later-only target audience, you can use the new Microsoft Script Encoder to encode your scripts and hide them from prying eyes.
The Windows Script Encoder allows you to encode any scripts that you might have in HTML pages, ASP pages, and Windows Script Host files so that it is difficult for users to read your code. Note the word difficult—not imposst—it's not foolproof, and there are crackers out there for it.
You can download the script encoder from http://msdn.microsoft.com/scripting/vbscript/download/vbsdown.htm.
Using the script encoder, which is a command line program, you can turn it into the following script:
<html>
<head>
<title>Test Page</title>
<script language="javascript">
/*
* Written by Joe Bloggs on 2001/07/20
* youremail@yourURL.com; http://www.yourURL.com
*/
//**Start Encode**
function start()
{
alert("Simple script!");
}
</script>
</head>
<body onLoad="start()">
</body>
</html>
Into this encrypted script shown below:
<html> <head> <title>Test Page</title> <script language="JScript.Encode"> /* * Written by Joe Bloggs on 2001/07/20 * youremail@yourURL.com; http://www.yourURL.com */ //**Start Encode**#@~^PgAAAA==@#@&0; mDkW PkOlMYc#@#@&´@#@&lV.YvJ?bh2VPkm.k2OeJbi@#@&8@#@&mA8AAA==^#~@</script> </head> <body onLoad="start()"> </body> </html>
By typing in the following at the Command Prompt (with the Script Encoder installed). See Figure 4.
){kind=link}
Figure 4 Command prompt instructions for Script Encoder.
The Script Encoder is really easy to use, you just need to remember to place //**Start Encode** where you want the encoding to start. It's quick and easy to use and is an effective deterrent, but it only works in an Internet Explorer environment, which is a severe limitation indeed.