JavaScript · Licensing

How to enforce licensing for service offered through Javascript?

Murali Sangubhatla Co-founder at 500 Miles

October 27th, 2014

I am developing a solution that will potentially be rolled out in an international market first. At the moment, the barrier for entry is pretty low and I want to protect the code from stealing. The solution is completely Javascript and runs within the browser.

I came across JScrambler ( as a potential solution (may not be fool proof but good enough to block easy duplication & maintenance). Before I get onto their monthly plan, wanted to check if anyone else has approached a similar problem.

[Strangely, search results on this topic on the web are pretty outdated and I am probably the only guy trying to be too protective :-)]

John Pettitt Visionary multi platform engineering executive and technology entrepreneur

October 27th, 2014

Copy protection/DRM is and always has been a waste of time. The bad guys will always evade it and it increases your support costs and inconveniences real customers. In the real world if a competitor steals your code then DMCA takedowns to their ISP can be very effective, even if they are not in the US but their ISP or domain registrar is.  

Make sure your code has a strong copyright notice, use the closure complier to minimize it (which also obfuscates) and then concentrate on making your product better than other offerings.   Time spent on DRM is wasted development effort..

Some history:

Software DRM - largely abandoned by the 90's
Music DRM - largely abandoned post iTunes early 2000's.
Video DRM - still in play but makes zero difference to piracy.
Book DRM - still in play but makes no difference to piracy.


October 27th, 2014

I'm with John Pettitt on this. Minification and obfuscation don't really help anymore these days. There are at least 10 different AI-based tools I've seen released in the past year for *literally* deobfuscating JavaScript code (that is, getting actual variable names back, repositioning code, and so on). My favorite is JS NICE … it has worked beautifully like 85% of the times I've used it. Sure, minify and obfuscate as necessary, but please don't waste your time on it.

- Jonathan

Liam Carolan Marketing Technologist

October 28th, 2014

I agree with Mike Nugent and I'll take it a step further.  In my view, this begins with  your intention.  If you're developing code for yourself to sell and profit from quickly - that's one thing, but if you're creating something to grow the pie and help people improve their lives etc., then it is in the spirit of the effort to allow others to benefit in the same way. 

The only condition being that all roads lead back to you.  The universal law of effort and reward seems to always get it right.  Focus on ways to exploit improvement and speed to market.

Any effort in the code world (with a few exceptions) should be built around a strategic plan that is long-term and full of partners.

For example, look at Matt Mullenweg - at one point he was faced with a similar decision.

Do you believe he made the wrong choice? Would his achievements to date with his "idea" have reached the position of today with a sales/ownership model? 

In the end - his product is making money and will continue to do so because almost anyone can take advantage of the platform to grow their ideas.

There are hundreds of others making these choices as well and while my example may be made up of differently positioned circumstances... the principle is exactly the same.

I would strongly consider the open source model for the reasons mentioned here - and it goes without saying "be smart about it" 

Seek many advisors and consider the benefit you will receive from collective participation in improving your product as opposed to just you doing it.


Corey Butler Entrepreneur, Consultant, & Web/Data Engineer

October 27th, 2014

There is no fool proof way to to prevent theft of code, especially in the browser. My motto is "if you can make it, they can break it". The best we can do is put as many barriers in front of thieves as possible, with a goal of making it time consuming enough that they give up. It only takes one persistent person though. 

I remember seeing JScrambler when it was released. Personally, I'm not sold on it. Minification/obfuscation provides the bulk of protection. While this process can be reversed pretty easily, you never see things like original function or variable names, so your code can still be painful to understand even if it is reverse engineered. A persist person could still capture the flow with a profiling tool though, so there really is no way to prevent this.

I don't know what your product is doing, but there are some potential scare tactics you could use to threaten ill-biding folks. For example, utilize a client side SSL certificate check on your server. You can use this to prevent network traffic, such as the route to your .js file. Of course, this adds a ton of administrative overhead, but anything you can do to personally identify an individual will be a threat to thieves. The real question is where the tipping point is between security and annoying normal users.

If you want to see more conversations about this, look up protecting node-webkit code. You'll find the same response I just gave you, but you'll see explanations of why this is so challenging for any software. There is no 100% safe.... the question is how much is good enough.

Hope that helps.

Karuna Govind Software Architect (Contract)

October 27th, 2014

I haven't used jscrambler but I very much doubt it's irreversible - obfuscated maybe, but it won't be impossible to clone if someone really wanted to. 

Have a look at - that could work for you (not that I've tried it yet).

Corey Butler Entrepreneur, Consultant, & Web/Data Engineer

October 28th, 2014

Quick point on debugging obfuscated JS: it is still easy if you create a JS source map for your code.

The open source approach is certainly a viable way to launch an MVP in a new market and often highlights paths to a potentially profitable business. 

I released a free/OSS node-webkit app about 6 months ago. In that time, the project picked up over 10K unique users (with a healthy portion of that being outside the US), a strong opt-in mailing list of registered users, closing in on 800 Github stargazers, and has received worldwide exposure in multiple popular JavaScript publications/Hacker News/etc. I've had a lot of great feedback from users, as well as bug fixes and new features all provided by the community. There is no way I would have made that much traction that quickly with a proprietary code base. Free opens publicity doors, builds communities, and increases excitement.... and I don't lose sleep over stolen code. It actually gave me a market for value-add commercial services on a silver platter.

Murali Sangubhatla Co-founder at 500 Miles

October 27th, 2014

Thanks everyone for pitching in!!

I will go with obfuscation as suggested and focus on making the product better.

Pierre-Yves B

October 27th, 2014

Can you move the business logic on a server? Depending on your case, you could reuse your code on a JS server (say, node.js). Please tell us how it goes :-)

Murali Sangubhatla Co-founder at 500 Miles

October 27th, 2014

@Pierre - On a similar, but mobile version, I am using node to provide the service and in that case, it is well protected. However, for this particular case, Client-side is the most efficient and flexible option.

Mike Nugent Reliability and Performance Engineer at Facebook

October 27th, 2014

You could go the opposite direction also. If you open source what you're doing, you could get people helping to write and maintain your code. Javascript isn't especially interesting to download off a site since it's pretty heavily tied to the back end. It also doesn't really stop anyone. Here's an article on some tools to de-obfuscate the code

The other advantage to not obfuscating is that you can easily debug code. Be sure you're actually blocking people from doing something you care about and aren't just hindering your own development efforts.