Secure distribution of NodeJS applications

javascript security node.js deployment obfuscation

31,380

Solution 1

Yes you can create a binary format. V8 allows you to pre-compile JavaScript. Note that this might have a bunch of weird side-effects on assumptions made by node core.

Distributing source code means clients can easily steal our solution and stop paying licensing fees.

Just because you distribute the binary doesn't protect you againsts theft. They can still steal the binary code or disassemble it. This is protection through obscurity which is no protection at all.

It's better to give them a thin client app that talks to your server and keep your server code secure by not giving it away.

Solution 2

Yes it is possible, use this branch(based on 0.8.18) and any js code you put in 'deps/v8/src/extra-snapshot.js' will be ahead-of-time compiled to machine code and embedded in v8 as part of the normal builtin object initialization. You will need to build nodejs for each platform you intend to deploy your product.

The snapshotted code runs very early in the v8 initialization and you cannot access builtin objects in the 'module body'. What you can do is put all your code inside a global initialization function to be called later. Ex:

// 'this' points to the same as the object referenced by 
// 'global' in normal nodejs code.
// at this point it has nothing defined in it, so in order to use
// global objects a reference to it is needed.
var global = this;
global.initialize = function() {
  // You have to define all global objects you use in your code here;
  var Array = global.Array;
  var RegExp = global.RegExp;
  var Date = global.Date;
  // See ECMAScript v5 standard global objects for more
  // Also define nodejs global objects:
  var console = global.console;
  var process = global.process;
  // Your code goes embedded here
};

Also, this assumes your entire code is defined in a single file, so if your project uses nodejs module system(require) you need to write a script that will combine all your files in one and wrap each file in a closure that will trick your code into thinking it is a normal nodejs module. Probably each module closure would expose a require function, and this function would have to decide when to delegate to the standard 'global.require' or return exports from your other embedded modules. See how javascript module systems are implemented for ideas(requirejs is a good example).

This will make your code harder to debug since you wont see stack traces for native code.

UPDATE:

Even using v8 snapshots the code gets embedded in the node.js binary because v8 prefers lazy compilation. See this for more information.

Solution 3

We have been using pkg to create binary versions of our Node.js app before distribution.

https://github.com/zeit/pkg

In order to add license key checking we use Cryptlex:

https://docs.cryptlex.com/node-locked-licenses/using-lexactivator/using-lexactivator-with-node.js

Solution 4

I'm currently investigating the same thing and am looking at nexe which claims to be able to "create a single executable out of your node.js apps".

Can't tell you if it's any good just yet, but thought it'd be worth to share already.

Solution 5

V8 generates native machine code internally and executes it. Look here: https://github.com/v8/v8-git-mirror/blob/master/src/compiler.cc#L1178 . This feature is used in EncloseJS. EncloseJS parses the sources of your node.js project, bundles dependencies, and makes an executable binary. The sources are not included in the binary - only compiled machine code.

View more solutions

31,380

Author by

Robin Rodricks

Updated on August 22, 2020

Comments

Robin Rodricks over 3 years

What: Can NodeJS apps be distributed as binary? ie. you compile the .js app via V8 into its native binary, and distribute the binary to clients? (if you had total access to the NodeJS server)... or is minifying the code all you can do?

Why: We build serverside applications in NodeJS for clients, that have often to be hosted on the client's servers. Distributing source code means clients can easily steal our solution and stop paying licensing fees. This opens up the possibility of easy reverse-engineering or reuse of our apps without our awareness.
James Andino about 11 years

Thank you this is very useful I must try this.
user4815162342 about 11 years

@James Andino: But, even if you could compile the code, what's preventing someone from taking the executable and data files and installing them on another machine? Compiling code isn't analogous to locking a car. Compiling is a performance and packaging measure, not a security measure.
James Andino about 11 years

well my only defense to that logic is name calling.
Raynos about 11 years

These things are generally a losing race. However many resources you pump into "securing this" the other side will have more resources. You should simply not worry about this and ensure your business isn't dependent on the magic sauce in your code but on actual non-code value your company produces.
Troj almost 11 years

+1 for the suggestion of thin client app. Putting critical business logic server-side is more "secure" than distributing executable with the same business logic. Disassembling binaries (and patching them for nefarious purposes) is very easy to do with current tools at today's date.
kumarharsh almost 10 years

The way Nodejs has been evolving, the best way would definitely be a thin client. I agree with @JamesAndino on the analogy though :P I mean, by obfuscating, the developer is just setting the bar higher, so there will be lesser people who can do the reverse engineering. Although, with nodejs, it would not be worth the effort to take so much headache. Try pitching a "thin client" approach to your client.
Alexis Paques over 8 years

It is only the lazy compiled native code ! (2 times slower than the optimized one they say)
Dzenly over 8 years

Sometimes clients are so secure as prevent any internet access. I.e. there are use cases when your business logic must be on client's server. So the problem of securing node.js server code is quite actual.
mwag almost 8 years

Agree w @Dzenly. In addition, "protection through obscurity which is no protection at all" is false. as kumar_harsh points out, it merely raises the bar, BUT just because the bar is not insurmountable doesn't mean it doesn't provide value-- otherwise you could say the same of any security system. This is especially true for enterprise products. Also, clients that require high security are more likely to have strong controls that make it difficult, possibly a fireable offense, for employees to reverse engineer their vendors' products.
Félix Brunet about 5 years

Nexe permit to create a stand-alone executable, but do not obfuscate the code at all. you can easily retrieve the javascript code at the end of the (huge) binary file.