How to secure commercial javascript library in front-end











up vote
0
down vote

favorite












CONTEXT



I am developing a web application with RAILS as the API-JSON backend with React in front-end. Recently, we need to integrate a commercial Javascript library which requires to be initialized at the client-side. I need to input the license key during the initialization process, which I have 2 options from their API:




  • Use the license key directly: commercialLib.setup(configWithLicense);

  • Via license file URL: commercialLib.setup(configWithLicenseURL);


Apparently, I don't want the first options since it can easily expose the license. However, with even with the latter, the license file content can easily read via the browser developer tool.



One more thing makes me confused is the vendor has their demo/sample page, which they are using the second approach (they sent me the source as an example for using, and also I can easily check the javascript source with the developer tool). But in their site, the request to the license file URL is not displayed, and I absolutely have no idea how they do that.



QUESTION



How can I secure my license in this scenario? And how could I hide a browser request from being traced in the developer tool?






ruby-on-rails reactjs







share|improve this question






















  • You can't hide a request or anything that is sent to the client. Anything that goes across the wire can be read by the client.
    – max
    Nov 8 at 15:28










  • Yes, AFIK it is impossible, but according to the sample code that I inspected in the vendor's sample webpage (which they also sent me that) it's happening. Could you help me with the other question (the one about secure javascript library license) ?
    – Firice Nguyen
    Nov 8 at 19:24












  • You can't really hide anything - I'm guessing the company in question is delusional, full of $hit or they are just using some form of obfuscation. When using API's for example this is handled by using non-secret API keys for javascript SDKs.
    – max
    Nov 8 at 19:29

















up vote
0
down vote

favorite












CONTEXT



I am developing a web application with RAILS as the API-JSON backend with React in front-end. Recently, we need to integrate a commercial Javascript library which requires to be initialized at the client-side. I need to input the license key during the initialization process, which I have 2 options from their API:




  • Use the license key directly: commercialLib.setup(configWithLicense);

  • Via license file URL: commercialLib.setup(configWithLicenseURL);


Apparently, I don't want the first options since it can easily expose the license. However, with even with the latter, the license file content can easily read via the browser developer tool.



One more thing makes me confused is the vendor has their demo/sample page, which they are using the second approach (they sent me the source as an example for using, and also I can easily check the javascript source with the developer tool). But in their site, the request to the license file URL is not displayed, and I absolutely have no idea how they do that.



QUESTION



How can I secure my license in this scenario? And how could I hide a browser request from being traced in the developer tool?






ruby-on-rails reactjs







share|improve this question






















  • You can't hide a request or anything that is sent to the client. Anything that goes across the wire can be read by the client.
    – max
    Nov 8 at 15:28










  • Yes, AFIK it is impossible, but according to the sample code that I inspected in the vendor's sample webpage (which they also sent me that) it's happening. Could you help me with the other question (the one about secure javascript library license) ?
    – Firice Nguyen
    Nov 8 at 19:24












  • You can't really hide anything - I'm guessing the company in question is delusional, full of $hit or they are just using some form of obfuscation. When using API's for example this is handled by using non-secret API keys for javascript SDKs.
    – max
    Nov 8 at 19:29















up vote
0
down vote

favorite









up vote
0
down vote

favorite











CONTEXT



I am developing a web application with RAILS as the API-JSON backend with React in front-end. Recently, we need to integrate a commercial Javascript library which requires to be initialized at the client-side. I need to input the license key during the initialization process, which I have 2 options from their API:




  • Use the license key directly: commercialLib.setup(configWithLicense);

  • Via license file URL: commercialLib.setup(configWithLicenseURL);


Apparently, I don't want the first options since it can easily expose the license. However, with even with the latter, the license file content can easily read via the browser developer tool.



One more thing makes me confused is the vendor has their demo/sample page, which they are using the second approach (they sent me the source as an example for using, and also I can easily check the javascript source with the developer tool). But in their site, the request to the license file URL is not displayed, and I absolutely have no idea how they do that.



QUESTION



How can I secure my license in this scenario? And how could I hide a browser request from being traced in the developer tool?






ruby-on-rails reactjs







share|improve this question













CONTEXT



I am developing a web application with RAILS as the API-JSON backend with React in front-end. Recently, we need to integrate a commercial Javascript library which requires to be initialized at the client-side. I need to input the license key during the initialization process, which I have 2 options from their API:




  • Use the license key directly: commercialLib.setup(configWithLicense);

  • Via license file URL: commercialLib.setup(configWithLicenseURL);


Apparently, I don't want the first options since it can easily expose the license. However, with even with the latter, the license file content can easily read via the browser developer tool.



One more thing makes me confused is the vendor has their demo/sample page, which they are using the second approach (they sent me the source as an example for using, and also I can easily check the javascript source with the developer tool). But in their site, the request to the license file URL is not displayed, and I absolutely have no idea how they do that.



QUESTION



How can I secure my license in this scenario? And how could I hide a browser request from being traced in the developer tool?






ruby-on-rails reactjs




ruby-on-rails reactjs






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 7 at 15:02









Firice Nguyen

1,231715




1,231715












  • You can't hide a request or anything that is sent to the client. Anything that goes across the wire can be read by the client.
    – max
    Nov 8 at 15:28










  • Yes, AFIK it is impossible, but according to the sample code that I inspected in the vendor's sample webpage (which they also sent me that) it's happening. Could you help me with the other question (the one about secure javascript library license) ?
    – Firice Nguyen
    Nov 8 at 19:24












  • You can't really hide anything - I'm guessing the company in question is delusional, full of $hit or they are just using some form of obfuscation. When using API's for example this is handled by using non-secret API keys for javascript SDKs.
    – max
    Nov 8 at 19:29




















  • You can't hide a request or anything that is sent to the client. Anything that goes across the wire can be read by the client.
    – max
    Nov 8 at 15:28










  • Yes, AFIK it is impossible, but according to the sample code that I inspected in the vendor's sample webpage (which they also sent me that) it's happening. Could you help me with the other question (the one about secure javascript library license) ?
    – Firice Nguyen
    Nov 8 at 19:24












  • You can't really hide anything - I'm guessing the company in question is delusional, full of $hit or they are just using some form of obfuscation. When using API's for example this is handled by using non-secret API keys for javascript SDKs.
    – max
    Nov 8 at 19:29


















You can't hide a request or anything that is sent to the client. Anything that goes across the wire can be read by the client.
– max
Nov 8 at 15:28




You can't hide a request or anything that is sent to the client. Anything that goes across the wire can be read by the client.
– max
Nov 8 at 15:28












Yes, AFIK it is impossible, but according to the sample code that I inspected in the vendor's sample webpage (which they also sent me that) it's happening. Could you help me with the other question (the one about secure javascript library license) ?
– Firice Nguyen
Nov 8 at 19:24






Yes, AFIK it is impossible, but according to the sample code that I inspected in the vendor's sample webpage (which they also sent me that) it's happening. Could you help me with the other question (the one about secure javascript library license) ?
– Firice Nguyen
Nov 8 at 19:24














You can't really hide anything - I'm guessing the company in question is delusional, full of $hit or they are just using some form of obfuscation. When using API's for example this is handled by using non-secret API keys for javascript SDKs.
– max
Nov 8 at 19:29






You can't really hide anything - I'm guessing the company in question is delusional, full of $hit or they are just using some form of obfuscation. When using API's for example this is handled by using non-secret API keys for javascript SDKs.
– max
Nov 8 at 19:29



















active

oldest

votes











Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














 

draft saved


draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53192100%2fhow-to-secure-commercial-javascript-library-in-front-end%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown






























active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes
















 

draft saved


draft discarded



















































 


draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53192100%2fhow-to-secure-commercial-javascript-library-in-front-end%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

這個網誌中的熱門文章

Academy of Television Arts & Sciences

圖片
American television organization Academy of Television Arts & Sciences Founded 1946 ; 73 years ago  ( 1946 ) Location North Hollywood, California, United States Area served Television industry Product Emmy Awards Key people Frank Scherma ( Chairman and CEO ) Website televisionacademy.com [redirects to emmys.com , official website of the Emmys and the Television Academy The Academy of Television Arts & Sciences ( ATAS ), also colloquially known as the Television Academy , is a professional honorary organization dedicated to the advancement of the television industry in the United States. Founded in 1946, the organization presents the Primetime Emmy Awards, an annual ceremony honoring achievement in U.S. primetime television. Contents 1 History 2 Emmy Award 3 Publications and programs 4 Current governance 4.1 Board of Governors 5 Television Academy honors 5.1 1st Annual (2008) 5.2 2nd Annual (2009)...
閱讀完整內容

L'Équipe

圖片
For other uses, see Équipe (disambiguation). L'Équipe The front page of L'Équipe on 4 July 2011 Type Daily newspaper Format Tabloid Owner(s) Éditions Philippe Amaury Editor François Morinière Editor-in-chief Fabrice Jouhaud Founded 1946 Language French Headquarters Boulogne-Billancourt ISSN 0153-1069 Website www.lequipe.fr L'Équipe ( pronounced  [lekip] , French for "the team") is a French nationwide daily newspaper devoted to sport, owned by Éditions Philippe Amaury. The paper is noted for coverage of association football , rugby, motorsport and cycling. Its predecessor was L'Auto , a general sports paper whose name reflected not any narrow interest but the excitement of the time in car racing. L'Auto originated the Tour de France cycling stage race in 1903 as a circulation booster. The race leader's yellow jersey (French: maillot jaune ) was instituted in 1919, probably to reflect the dist...
閱讀完整內容

1995 France bombings

圖片
This article is a rough translation from French . It may have been generated by a computer or by a translator without dual proficiency. Please help to enhance the translation. The original article is under "français" in the "languages" sidebar. See this article's entry on Pages needing translation into English for discussion. 1995 France bombings Part of Algerian Civil War (spillover) Plaque commemorating the victims of the Saint-Michel station bombing on 25 July 1995 Location Paris and Lyon, France Date 25 July 1995  ( 1995-07-25 ) – 17 October 1995  ( 1995-10-17 ) Weapons Improvised explosive devices, school bombing Deaths 8 Non-fatal injuries 157 Perpetrator Armed Islamic Group Motive To induce the French government to withdraw support from the Algerian government during the Algerian Civil War The 1995 bombings in France were carried out by the Armed Islamic Group (GIA), who were broadening the Alger...
閱讀完整內容