Run NodeJS server without exposing its source code

Question

For an usual NodeJS instance, we can start it by node server.js. The problem with this is that, in a production server, when a hacker compromises my machine they will be able to view and copy all of my server-side source code. This is a big risk, since the source code contains intellectual property. Is there a way to prevent it from happening?

For example, in Java, code is usually built into jar package or .class files and we only deploy the built file. When a hacker compromises the machine, they can only see the jar or .class file which is only byte code and not understandable.

I have a similar concern on my Python Flask server.

*"which is only byte code and not understandable"* - not accurate, I'm afraid. If you want to protect your intellectual property, you need to use *legal*, not *technical*, means. — jonrsharpe, Jul 29 '15 at 09:51

score 2 · Accepted Answer · answered Dec 31 '15 at 11:37

I am looking at 3 alternatives now and would love to hear more on this subject:

http://jxcore.com/home/ - "JXcore is a Node.JS fork with additional features." it also supports running nodeJS code on other platforms

https://jaredallard.me/nexe/ - "Compile your Node.js project. No sources aboard."

http://enclosejs.com/ - "Compile your Node.js project. No sources aboard."

score -2 · Answer 2 · answered Jul 29 '15 at 16:17

-2

Do you know how easy it is to decompile java class files?

Seriously, you pop the jar into IntelliJ IDEA (or almost any other IDE) and it spits out decompiled code that's readable enough to reverse engineer. Compiled code offers no security advantages versus interpreted code.

Rather than trying to "encrypt" or "hide" your NodeJS code, why not secure the server better? You will never outpace people reverse engineering your code, you are much better off defending the box that the chocolates are in than poisoning the chocolates.

answered Jul 29 '15 at 16:17

nameless912

367
1
12

I disagree, though. Java might be a bad example but C/C++ has a way to compile/package the product and release it into the market. For example MS Office, when end user use the software, they are able to reverse engineering MS Office code and find all bunch of hard to understand logics and byte code. It is much less severe than leaking the original source code. – HenryNguyen Jul 30 '15 at 10:07
Decompilers still exist. The point I'm trying to make is you will never, ever secure your code just by making it harder to read. You're better off preventing a source code leak, *especially* in the case of something like NodeJS, than trying to make the code "unreadable". Of course, Javascript minifiers exist which help a little, and there are ways to obfuscate things, but in general it shouldn't be your focus. – nameless912 Jul 30 '15 at 16:19
@nameless912 decompilation is not perfect. Consider there are obfuscation techniques :) – Viswanath Lekshmanan Aug 16 '16 at 11:12
OP doesn't ask about this. He is more concerned about how to deal with hiding his Node.JS Source code. This is probably better suited to a comment on the original question. No offense. Peace. – Divij Sehgal Jan 08 '19 at 19:09

Run NodeJS server without exposing its source code

2 Answers2