Hi All,

I am a web developer and I am lately becoming fairly security conscious.

So two questions for you and any help appreciated.

1)I have my hesitations about my web code being revealed to everyone through the "view page source" feature of web browsers. Apparently the source review may reveal quite a few hints that affect security. Is there a way to prevent people from seeing this?

2)Being a web developer (especially PHP) I would like to know how I can restrict my programs to run on specific domains only. In this way if someone steals my code he can not deploy it on his server.


Thanks for your help all

peter

Selfish, aren't we?

If your page code is going to run on a user's browser, it must be in source form. The browser itself needs source code. It's an interpreter. The code is never compiled.

If your code won't run on any domain except yours, it won't run on anyone else's ISP, so nobody except people who subscribe to your own ISP could display it.

Also, anyone smart enough to hijack your code could also fix any trick you use to restrict its use.

What I suggest is to put your copyright info in a comment, or on the web page itself. If the info is in a comment, the pirate might not notice it, and then you have proof of piracy when you see your copyright notice on his page in source code mode. Print the screen and see a lawyer. He'll get all the money, but the offender will have to stop using your work.

- Don't implement any kind of security using javascript, implement it at the server. The source for serverside scripts is never shown in a View Source, and can't be seen unless your server is compromised or you have lax protection/errors there.

As MidiMagic said; if someone steals your code, they're clearly going to remove any protection you've added to it.

In PHP you've got very little hope of effective code protection, but even if you have a compiled program, it's going to be crackable in some way or another.

Better to just be proud if people want to use your creations than to spend too much effort getting tied up in trying to make them inpenetrable.

But... I suppose this is about the best sort of protective means you'll get with protecting interpretted code:

http://en.wikipedia.org/wiki/Obfuscation
http://en.wikipedia.org/wiki/Obfuscated_code


http://www.raizlabs.com/software/phpobfuscator/

webdevelopa,

I agree with mattevans. I just want to add up that doing is not the only thing you can do. You may add encoding and encryption to your payload and mix it with obfuscation. That will provide a further layer of protection. There are a couple of tools out there that you could use for this. The one I have been using with success is webarmour. You can find it at: http://www.nesicon.com/webarmour. It does obfuscation and encoding and also supports other cool features such as blocking out browsers, check if they support activex or shockwave, protecting your images with right click and others... Last time I checked they were offering a free trial so I was able to fully test my stuff before I bought it. Hope this helps you out.