8

I have a web application developed using Python, HTML, CSS & JavaScript.

The customer installs it in any of their own Machine and uses it through their LAN. In short the customer sets up the webserver in any of their own machine.

Since its a web application, all the source code is open for the customer in the document root directory of webserver. I want to encrypt the whole source code in the document root directory in such a way that it should not effect the working of the web application.

Is there is any way to encrypt the Python, HTML, CSS & JavaScript for this purpose.

ASKN
  • 915

3 Answers3

20

Once your customer has a program they can run, they will be able to reverse engineer it given sufficient time & skill. That is just a fact of life.

If you really want to stop it, you should host and run the software yourself (SaaS)

Having said that, something like Python will be easier than C. Let's split this into the 3 parts you asked about (and then some more)

HTML

No matter what you do here, it will be decrypted in the browser (even in the SaaS model), so encrypting it on the server is pointless. Even minifying is pointless as modern browsers like Firefox and Chrome will neatly format it for them.

CSS

See above - don't waste your time

Javascript

Yahoo has a tool that can obfuscate it for you. Try YUI Compressor. Not, don't both encrypting this on the server-side as it must be served to the client unecrypted*, which would defeat the purpose.

Python

This is the only place you really want to spend your time - protecting your business logic. There are several methods you will find on google such as encrypting on disk and then decrypting at run-time. All these methods have problems, such as performance hits and having to supply the decrypter (hence enabling them to decrypt it anyone).

Your best beat to stop those not hellbent on stealing your code would be to use an obfuscate your Python code.

Summary

The only code you can stop someone from getting is the code you don't give them. HTML, CSS & Javascript will always end up on your users machine in a manner they can use, so assume they be able to steal it if they want, tough luck.

To protect your server code, the only sure-fire method is to NOT give it to them, running it in something like a SaaS model.

If that isn't possible, the best you can do is make it harder for them.

Testing

Always make sure you test on the production version you will be supplying your customers. This ensures any special build steps (such as obfuscation & minification) do not break your software.

Boring Business Stuff

So all of the above (and your question) has addressed this issue from the technical side. The other side of the coin is from the business/legal side.

If you have a small number of clients you can provide different "watermarked" versions of your software to each client. By doing this, you increase the possibility being able to track stolen software back to the source and take whatever legal action is appropriate.

Don't forgot, if you are in a serious business, you would be best to consult a lawyer on how you can prove and enforce the ownership of your software, should things go wrong.

* not strictly true, you could serve it encrypted and have other Javascript decrypt it on the fly, but this would be near pointless as it adds a performance hit and you will have to supply the attacker with the decrypter anyway...

Community
  • 1
Dan McGrath
  • 11,181
  • 6
  • 57
  • 82
5

No.

HTMl, CSS, and JavaScript Cannot be encryption as the Browser needs to read it as Plain text. The best you can do is Obfuscate it.

For Python you could compile it into a DLL, so you are not outright giving the client the source code. But is can still be De-compiled.

For Arguments Sake, lets say provided a Custom Web server for your clients to use this Custom Web server reads Encrypted Python files then compiles and runs them. A hacker could still De-compiled the Custom Web server and get full access to the decryption module and the Encryption keys.

If you Code (or data) in any form, is on someone else hardware, The code can be stolen.

My proof of this : Just look at all the warez sites, everything gets hacked.

Morons
  • 14,706
2

As for Python, there are a number of ways to tackle this but you will need to do some of the heavy lifting. Here are some thoughts:

  1. zip file containing just the .pyc files. This would mean you would need to either dictate the exact Python version and architecture or provide multiple .zip files, one for each architecture that you are supporting.

  2. PEP 302 introduced the importlib that will allow you to integrate your own custom importer. Examples that need custom importers are py2exe, freeze, etc. You should be able to integrate your own importer to read encrypted zip files or whatever format though you'll probably want to put some of that code into compiled C as your own module.

As for Javascript, if you mean client side, then no. But for node.js, you could do some work on the V8 engine where you load/save the compiled version of Javascript (similar to a .pyc) if available instead of using source. You'll probably need a C developer to do that work and it may require patching to specific versions of node.js.

user106111
  • 21