保护客户端代码

发布于 2024-10-27 10:03:26 字数 255 浏览 4 评论 0原文

我正在开发一个使用客户端代码(具体来说是 js)的应用程序,该代码需要受到保护。即用户无法窃取代码并重复使用它。混淆不是一种选择,因为我需要完全保护代码(通过加密)。在广泛搜索互联网上允许 js 加密的解决方案后,我得出的结论是,该专有代码只能在服务器端执行以确保其安全性。

是否有人有任何其他想法或解决方案,可以使服务器不必处理本来可以在客户端上用 js 完成的事情。在服务器上执行某些代码是一种选择,但资源有限。另一个问题是它需要类似于“服务器端 js”,即用户体验不会改变。

I'm in the process of developing an application that uses client side code (js to be specific), which needs to be secured. I.e. so that a user cannot steal the code and reuse it. Obfuscation is not an option, as I need the code to be fully secured (with encryption). After extensively scouring the internet for a solution that allows js encryption I have come come to the conclusion that this proprietary code can only be executed server side to ensure its security.

Does any one have any other ideas or solutions, that would relieve the server from having to process things that otherwise could be done on the client with js. Executing some of the code on the server is an option, but resources are limited. Another issue is that it would need to be something like "server side js" i.e. the user experience is not changed.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

如果代码是客户端,他们就有代码。时期。这就是互联网的运作方式。

如果您想保护它免受最终用户的侵害,那么是的,您需要将其保留在服务器端。唉,这将改变用户体验。确实没有办法解决这个问题,尽管也许通过明智的 AJAX 调用您可以找到一个令人满意的媒介。

If the code is client side, they have the code. Period. That's how the internet works.

If you want to protect it from the end-user, then yes, you need to keep that on the server side. Alas, that will change the user experience. There really isn't a way around that, though perhaps via judicious AJAX calls you can find a happy medium.

无远思近则忧 2024-11-03 10:03:26

不,听起来你已经了解了事情的要点。使用服务器来处理任何需要安全完成的事情。使用javascript显示从服务器发送的数据。

我不知道您正在开发什么应用程序,但通常将重要处理卸载到客户端的努力涉及大量数据传输,从长远来看,服务器必须执行更多工作。我能问一下您想要在客户端进行什么样的处理吗?

Nope, it sounds like you've pretty much got the gist of things. Use the server to process anything that needs to be done securely. Use javascript to display the data sent from the server.

I don't know what application you're working on, but typically efforts to offload significant processing onto the client side involve so much data transfer that the server has to do more work in the long run. Can I ask what kind of processing you're wanting to do client-side?

忆沫 2024-11-03 10:03:26

对于服务器端解决方案,用户体验将必须发生改变,仅仅是因为您将在不同的机器上运行代码,并且两者之间有网络。延迟将会有所不同。当然,它可能已经足够好了,但在不知道它是什么类型的应用程序的情况下很难说。

我能想到的最接近的方法是在一个安全的应用程序中托管某种 JavaScript 引擎……但是您可以从游戏行业尝试的状态看出,他们发现制作不可破解的客户端代码是多么容易。基本上,如果要在本地运行,代码必须在那里执行......这意味着它可以被检查。你所能做的就是让它变得更难。

The user experience would have to be changed for a server-side solution, simply by the fact that you'd be running code on a different box, with a network between the two. The latency will be different. It may be good enough, of course, but it's hard to say without knowing what kind of app it is.

The closest I can imagine is hosting some sort of JavaScript engine within an otherwise-secure application... but you can tell from the state of the games industry's attempts how easy they've found it to make unhackable client code. Basically, if it's going to run locally, the code has to be there to execute... and that means it can be inspected. All you can do is make it harder.

怕倦 2024-11-03 10:03:26

您可以加密您的 JavaScript,然后在客户端对其进行解密和评估。如果它是私人应用程序,您可以使用密码进行加密,因此没有密码的任何人都无法解密它。否则你应该让它变得非常复杂。

You could encrypt your javascript and then decrypt&eval it on the client side. If it´s a private application, you could use a password for the encryption, so anyone without password could not decrypt it. Otherwise you should make it really complex.

一萌ing 2024-11-03 10:03:26

除了这里讨论的标准 JS 混淆之外:https://stackoverflow.com/questions/2285593/how-to-sell-and-protect-software-that-has-easily-visible-source-like-javascript
这几乎是不可能做到的。

我倾向于质疑是否真的需要首先保护客户端代码。是什么让它如此独特以至于有必要这样做?无论如何,任何类型的敏感数据操作都应该在服务器端完成,因为每种混淆方法始终只能提供不完美的保护。

Apart from standard JS obfuscation which is discussed e.g. here: https://stackoverflow.com/questions/2285593/how-to-sell-and-protect-software-that-has-easily-visible-source-like-javascript
this is close to impossible to do.

I would tend to question whether there really is a need to protect the client side code in the first place. What makes it so unique that this is necessary? Any kind of sensitive data manipulation should be done on the server side anyway, as every obfuscation method will always be only imperfect protection.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文