node.js - Code Protection?

Question

I want to use node.js in my next project, but my boss does not like that our competitors can read the source code.

Is there a way to protect the JavaScript code?

Answer 1

To be very clear, client-side Javascript (as downloaded from a remote server into a standard web browser) cannot be protected from viewing and/or modification no matter how you obfuscate it since reconstruction ("de-obfuscation") of the original source is technically trivial. (Javascript obfuscation is simply another example of the widely used security misnomer "security through obscurity".)

If you wish to use Javascript and Node.js to provide a protected "product" (which in this context is an application or service requiring installation on a server your company does not control), you cannot secure it either as the only option available to you (obfuscation) provides no such protection.

It should be noted that even if your product is provided as a binary executable that is no guarantee you can protect the intellectual property it contains as any binary can be decompiled into an understandable format. In this case, we enjoy some level of security based on the excessive resources (time/expertise) required to convert low-level machine code (as provided by decompilation) into the higher-level logic constructs used by modern programming languages. (This from one who once decompiled CP/M into an understanding of its internal design by hand. ;)

All however is not lost: if we assume that one can protect intellectual property programmatically (the jury is still out on this one), there is a way to provide a Node.js-based product in a secure fashion, but it is not for the technically unadventurous as it would require substantial refactoring of the Node.js source code (to add support for cryptographically secure libraries and remove--or otherwise protect--object reflection for your proprietary libraries.)