Let's say I've to include the following line with my website header:
<script type="text/javascript" language="javascript" src="file.js"></script>
Now anyone easily can visit my--web--site/file.js and view its source.
So, I wonder if there any idea I can rename file.js to file.php and still able to call it and works fine, so that no one can view it by visiting my--web--site/file.php.
Any idea?
About the only thing you could do is to make it difficult to read and understand your JavaScript code.
Check out this post on the YUI blog about Minification and Obfuscation. Minification will have the added benfit of making your script smaller and thus load faster.
Take special note of what the article has to say in its closing paragraph:
Then finally, there is that question of code privacy. This is a lost cause. There is no transformation that will keep a determined hacker from understanding your program. This turns out to be true for all programs in all languages, it is just more obviously true with JavaScript because it is delivered in source form. The privacy benefit provided by obfuscation is an illusion. If you don’t want people to see your programs, unplug your server.
Javascript is distributed as source - if your users can't view it, they can't run it - so no, not really.
What you can do, if you are paranoid, is obfuscate and minify (google "minify javascript") the source before deploying.
This is far from bulletproof though (chrome for instance, has a very nice pretty printer in its debugging tools).
No, you cannot do this. If a person's browser is able to read your JS file, that person must also be able to read your JS file. That is how the Internet works. This is good and desirable behaviour, and you shouldn't try to keep people from reading the CSS/JS/HTML that composes your website. It is completely self-defeating and serves no purpose. Nobody is interested in stealing your JS code.
If you don't want people seeing the contents of your web page (including your JS), don't put it on the internet!
Anyone with a debugger on the client can grab your script no matter how you serve it up to the client.
No. The JavaScript file is downloaded and executed on the web browser. This means that the user needs to be able to download it.
You can obfuscate it using some kind of obfuscator that makes it a lot harder for people to read, yet keep it functional by the client.
Actually I'm developing a Chrome extension and a jQuery plugin to upload it and sell it on Codecanyon. When I "Inspect source" of the page and I click on the "Resources" tab, the javascript file looks empty. How does Codecanyon do that? I want to have file theft prevention in my own website too, but I don't know how to do it. I know php and javascript and there's no method to do it, because the browser downloads the file to execute it.
You can see the example here.
You cannot hide it because your browser needs it to perform it. Simple as that.
You need to understand that it is a script executed on the client side. It is not compiled (meaning it's not a binary (0 and 1 machine language)). So it is freely readable.
Nevertheless you can obfuscate it using tools like YUI compressor
Basically this kind of tools remove extra spacing, tabs line returns and rename methods (like method "a" standing for "MyShinyMethodWhoMakesNiceStuff") and variables. That makes it very difficult to read and understand code. Reverse engineering is thus harder to achieve.
Some uses some tricks like base64 or other encode and decode part of code with a function but it's only tricks and will not fool the sharp eye.
By obfuscation, you make people spend much more time in analyzing your code and stealing is thus much more complex, and takes time. Let's say you made a nice javascript plugin that makes every white background in purple (ok, not so great example but used it just for having an imaged example). Somebody might want to steal it and makes it blue instead of purple. If code is obfuscated, he might think that's easier to copy your idea and rewrites it on his own with his own code and blue background, it will takes him less time than reverse engineers and understanding wells yours, easier to maintain in the time too. In the end he will "only" "steal" your idea but not your code.
I think that in the end, it's just a matter of time.
If you see it's empty, it means that it's empty. There is no way to hide your javascript code from a client that must execute the code.
You can only try to make it less readable (through minifiaction and obfuscation), but the code is still tranferred and it can be reverse engineered.
The actual code in your example is downloaded with the jquery.js file.
On JavaScript "protection" - basically what everyone else said.
Explaining the example you provided:
Indeed, http://demos.pixelworkshop.fr/circular_countdown_cc/js/countdown.min.js appears to be empty, however the actual plugin code is appended to the jquery.js file, starting at line 58:
You can use this javascript obfuscator tools:
If you're licensing the code on a per-site basis, I would suggest domain locking your javascript as well.
You can do this yourself by simply checking the window.location somewhere in an encrypted file. This isn't going to be very secure, but for 90% of users who just drop a script into a directory and hope it works, it will provide some level of deterrent.
You can also use https://domainlockjs.com (free) to easily lock scripts to domains. This is a slightly better solution because DomainLockJS throws hard to trace errors and is much harder to debug.
A more complicated approach would involve using an Ajax script injection, and allowing specific domains to access the script / not trigger an XSS error. This is the hardest to set up, but if you inject a large amount of js, it might be the hardest to get around.
All of these can be circumvented by a skilled coder though... you're only making things difficult, not impossible.
Liblock is a small tool built by myself. It encrypts your JS-sources - it's no simple obscurity by obfuscation, but good security by encryption.
When you inspect the DOM in your client, all you'll see is: nplreq(url) for each script that you bind into HTML head.
See how it works here liblock-demo - this is a demo only for hiding the scripts in "nopro_lib" and "xscroll.js".
Encryption and decryption are totally transparent to the browser. It is tested with Firefox, Chrome, Opera, Konqueror, IE8-10 on PC, and with Dolphin and Safari on an Android tablet.
The sources are securely hidden, and only with really great efforts they may be layed open again. Encryption is done with AES (Rijndael 256) using one-shot-keys which are negotiated between client and (liblock-)server using Diffie-Hellman.
Guys/Gals I have made a website but now I want to encode the script so that no one can copy.
I'm using PHP, JavaScript and HTML in each page of my website. So how do I encrypt each and every page?
Thank You.
No need to encrypt - noone will ever see it (unless your site has security problems).
You can pack it. Can be reversed.
You can remove all whitespace. This is problematic with pre and white-space: pre.
It is also very ease to export the formatted DOM structure that is the end result of your serialised mess.
The Most Important Part
Obfuscate to make pages load faster - not to stop people from stealing your code/markup. If your code is really worth stealing (which I doubt it, no offense), then people will get it.
Neither html nor javascript can be encrypted, else the browsers would not be able to interprete it and your visitors would not be able to view your site. Dot. End. Compression tools may boost performance a little but will not really help against copyright infringement.
Your php-programs generate html, your visitors will always be able to see your html, but if your server is configured properly no one should ever see your php.
Just get comfortable with the idea that putting something on the web is to open it to the world.
Cost in attempting to stop duplication of the stuff you've already decided to make publicly available: $your hourly rate x hours == ??
Cost to stop worrying about something that doesn't actually cost you anything: zero. winner.
(And to head off another question you're inevitably going to ask at some point in future - Don't attempt to disable right-clicks. It just annoys everyone and doesn't achieve anything.)
Try using Javascript Obfuscator for your javascripts.
It will not hide you script but it protects JavaScript code from stealing and shrinks size.
if you do a google on "html encryption" you'll get a lot of hits.
The question I have is why you would want to do this? You're going to have a performance hit for what gain?
You can also do the same for javascript but unless your html or javascript has organisational sensitive data then... And if they do then perhaps that's not the best place for it.
Actually one way to do it is to use XML + XSLT, it's extremely difficult for a lay-person to figure out what is going on, even more difficult for them to get your sauce code.
search google for ioncube
This converts the html into gibberish. Stealing your html becomes difficult.
Nobody's html code is worth stealing anyways. This is only for self satisfaction.
The most I have ever been able to do to protect my code is to disable the right click with this line of code:
<body oncontextmenu="return false">
but it doesn't mean they can't right click on another page open inspect element and go back to your page and look at the code it can only stop them from viewing the source code for the most part.
Little late, by 10 years, but I've found a website that encrypts HTML. However, it doesn't work with PHP, it does work with JS. Evrsoft is what I've used for my website. It's the only HTML encryption I've found so far. If you've got PHP in your code, only encrypt the HTML in the page and leave the PHP raw. Nobody can see PHP anyway. It's a free service.
I have a whole range of jQuery code, how do I stop users from seeing the actual code, or how can I encrypt the .js file.
Please suggest opensource
I don't want users to know how I have coded or copy my code
Once I use the base62 encode, can it be reverse engineered?
Check out packer by Dean Edwards. It has the ability to encode your JS. You have to let your JS be world readable, otherwise a browser couldn't download it.
You cannot prevent your users from being able to see the source code of a Javascript file : it's executed by the user's browser, which means it must be readable on the client side.
The "best" you can do it minify/obfuscate it ; see for instance the YUI Compressor, which exists to minify JS files (so they are smaller, and can be transferred faster), but also has some obfuscating functionnalities.
If will make you Javascript code harder to read/understand -- but someone really motivated will still be able to read it ; well, it will take some time and a bit of work, but it'll still be possible.
You can use google closure compiler
The Closure Compiler compiles JavaScript into compact code, it obfuscates the code, it can still be read but it will be hard to trace and will take time
Try to pack the code with the packer:
This is not like code encryption, but it obfuscate the code.
There is not really much point in encrypting your js file, everyone knows you can view the source code of anyone's website. I believe there are encryptors out there for javascript, but users will have to download the decryptor module to decrypt it. Also since the browser does need to interpret the code, it would probably not be that hard to circumvent.
You could obfuscate the code, but I would do this using a minification technique, and more for performance reasons rather that hiding the code, some obfuscators are more intrusive than others, but again, the code could be re-formatted, albiet the original variable names will not be recoverable.
You just can't encrypt JavaScript that runs on the client machine. Browsers need the unencrypted code in order to execute it!
This is the first thing I found, but it looks like it might do the job:
As others have mentioned though, the browser has to be be able to decrypt the code, so the user would also be able to (although it may be some work to do so).
You should look at obfuscation too, which will make the code much harder to reverse engineer.
Is there any way to disable or encrypt "View Source" for my site so that I can secure my code?
Your question doesn't make much sense. The "View Source" is showing the HTML source—if you encrypt that, the user (and the browser) won't be able to read your content anymore.
If you want to protect your PHP source, then there are tools like Zend Guard. It would encrypt your source code and make it hard to reverse engineer.
If you want to protect your JavaScript, you can minify it with, for example, YUI Compressor. It won't prevent the user from using your code since, like the user, the browser needs to be able to read the code somehow, but at least it would make the task more difficult.
If you are more worried about user privacy, you should use SSL to make sure the sensitive information is encrypted when on the wire.
Finally, it is technically possible to encrypt the content of a page and use JavaScript to decrypt it, but since this relies on JavaScript, an experienced user could defeat this in a couple of minutes. Plus all these problems would appear:
Search engines won't be able to index your pages...
Users with JavaScript disabled would see the encrypted page
It could perform really poorly depending the amount of content you have
So I don't advise you to use this solution.
You can't really disable that because eventually the browser will still need to read and parse the source in order to output.
If there is something SO important in your source code, I recommend you hide it on server side.
Even if you encrypt or obfuscate your HTML source, eventually we still can eval and view it. Using Firebug for instance, we can see source code no matter what.
If you are selling PHP software, you can consider Software as a Service (SaaS).
So you want to encrypt your HTML source. You can encrypt it using some javascript tool, but beware that if the user is smart enough, he will always be able to decrypt it doing the same thing that the browser should do: run the javascript and see the generated HTML.
EDIT: See this HTML scrambler as an example on how to encrypt it:
EDIT2: And .. see this one for how to decrypt it :)
Short answer is not, html is an open text format what ever you do if the page renders people will be able to see your source code. You can use javascript to disable the right click which will work on some browsers but any one wanting to use your code will know how to avoid this. You can also have javascrpit emit the html after storing this encoded, this will have bad impacts on development, accessibility, and speed of load. After all that any one with firebug installed will still be able to see you html code.
There is also very really a lot of value in your html, your real ip is in your server code which stays safe and sound on your server.
This is fundamentally impossible. As (almost) everybody has said, the web browser of your user needs to be able to read your html and Javascript, and browsers exist to serve their users -- not you.
What this means is that no matter what you do there is eventually going to be something on a user's machine that looks like:
<div id="my secret page layout trick"> ...
because otherwise there is nothing to show the user. If that exists on the client-side, then you have lost control of it. Even if you managed to convince every browser-maker on the planet to not make that available through a "view source" option -- which is, you know, unlikely -- the text will still exist on that user's machine, and somebody will figure out how to get to it. And that will never happen, browsers will always exist to serve their users before all others. (Hopefully)
The same thing is true for all of your Javascript. Let me say it again: nothing that you send to a user is secure or secret from that user. The encryption via Javascript hack is stupid and cannot work in any meaningful sense.
(Well, actually, Flash and Silverlight ship binaries, but I don't think that they're encrypted. So they are at the least irritating to get data out of.)
As others have said, the only way to keep something secret from your users is to not give it to them: put the logic in your server and make sure that it is never sent. For example, all of the code that you write in PHP (or Python/Ruby/Perl/Java/C...) should never be seen by your users. This is e.g. why Google still has a business. What they give you is fundamentally uninteresting compared to what they never send to you. And, because they realize this, they try to make most things that they send you as open as useful as possible. Because it's the infrastructure -- the Terrabyte-huge maps database and pathfinding software, as opposed to the snazzy map that you can click and drag -- that you are trading your privacy for.
Another example: I'm not sure if you remember how many tricks people employed in the early days of the web to try and keep people from saving images to disk. When was the last time you ran across one of those? Know why? Because once data is on your user's machine, she controls it. Not you.
So, in short: if you want to keep something secret from your user, don't give it to her.
You cant. The browser needs the source to render the page. If the user user wishes the user may have the browser show the source. Firefox can also show you the DOM of the page. You can obfuscate the source but not encrypt or lock the user out.
Also why would you want this, it seem like a lame ass thing to do :P
I don't think there is a way to do this. Because if you encrypt how the browser will understand the HTML?
No. The browsers offer no ability for the HTML/javascript to disable that feature (thankfully). Plus even if you could the HTML is still transmitted in plain text ready for a HTTP sniffer to read.
Best you could do would be to somehow obscure the HTML/javascript to make it hard to read. But then debuggers like Firebug and IE 8's debugger will reconstruct it from the DOM making it easy to read,
You can, in fact, disable the right click function. It is useless to do so, however, as most browsers now have built in inspector tools which show the source anyway. Not to mention that other workarounds (such as saving the page, then opening the source, or simply using hotkeys) exist for viewing the html source. Tutorials for disabling the right click function abound across the web, so a quick google search will point you in the right direction if you fell an overwhelming urge to waste your time.
There is no full proof way.
But You can fool many people using simple Hack using below methods:
"window.history.pushState()" and
adding oncontextmenu="return false" in body tag as attribute
Detail here - http://freelancer.usercv.com/blog/28/hide-website-source-code-in-view-source-using-stupid-one-line-chinese-hack-code
You can also use “javascript obfuscation” to further complicate things, but it won’t hide it completely.
“Inspect Element” can reveal everything beyond view-source.
Yes, you can have your whole website being rendered dynamically via javascript which would be encrypted/packed/obfuscated like there is no tomorrow.
I was wondering, I want to plant a JS tracking code (analytics) in a few websites to track their traffic. But I don't want that when viewing the site's source code people will be able to see that I've embedded the JS tracking code there.
Is it possible? Maybe by using an Apache/PHP trick?
Nope it's not possible, for the browser to execute any code at least some of it must be initially visible, even if that code is to then retrieve the tracking code itself.
In addition all the modern web developer tools provide access to any code that is loaded so anyone can use those to see anything you've attempted to load discretely.
The more important question is why you want to hide that you're tracking people?
It's not absolutely possible with Javascript. Javascript always runs in the context of the user's browser, so it always means that the user will have access to see the script. You can obfuscate it, or try some tricks similar to anti-hotlinking on the JS code, but it will still be relatively easy for someone to figure out what the code does with a simple tool like Firebug.
You can, however, track your traffic without JavaScript. Analytics uses JavaScript for portability, and because some of the data it accesses can only be accessed with JavaScript. However, there are more passive ways of tracking your traffic which don't require JavaScript, such as any log analyzer like AWstats. You just don't get some of the cool features of Analytics.
It's not possible, but you could just name your script file something innocent like "mouseover.js".
It's not possible: JS code has to be run by the web browser, which means that -- which ever way you try put it -- it has to be readable by the browser and thus by anyone that inspects the page.
You could try obfuscating the JS, but that won't stop anyone that is determined to see what's happening.
You could ask yourself what the odds are that more than a few people will check whether you're tracking them -- I wouldn't expect it.
You can't technically hide the code... But you can scramble it so it's not readable to anybody. I used http://hivelogic.com/enkoder/form by Dan Benjamin to scrable some JS on my page (in this case I scrambled my email address). It scrambles it so the browser can execute it, but it's not humanly readable...
Then you can just call it as a function like I did in from this script http://www.jamischarles.com/css_js/email_encoder.js. Give it a try.