Effectively protect .js code with asp

Submitted on: 1/6/2015 10:24:00 PM
By: Mark Kahn (from psc cd)  
Level: Intermediate
User Rating: By 3 Users
Compatibility: ASP (Active Server Pages)
Views: 1807
     This uses the asp http_referer variable, some no caching techniques and some other optional methods to make it very hard for most people to view your javascript source code.

The idea is pretty simple. If request.servervariables("HTTP_REFERER") doesn't come from the same domain as the script is in, either a) don't show the script or b) show them a fake script. Basically what you're going to need to do is rename your .js files that you want to protect to .asp files and drop in the below code at the top of this file. All the no-cache stuff is so they can't open their temporary internet files and just view the source.

Currently, the only way I know of to view the source of a page protected with this method is to use javascript in the URL to change an existing URL on the page. ie: javascript:document.links[0].href='yourjavascriptfile.asp'; and then clicking on that link. But how many users are going to know how to do that? And for the ones that do, see the optional protection below.
response.expires = now() - 1
Response.ExpiresAbsolute = Now() - 1
Response.AddHeader "Pragma", "No-Cache"
Response.AddHeader "cache-control","private"
Response.CacheControl = "no-cache"

if lcase(request.servervariables("HTTP_REFERER")) <> "" then
' either do a response.end here or write out some fake javascript to fool people
end if
Other Optional Methods
Allow one-time-accessThis method involves setting a session var, a cookie, or the querystring requesting the javascript file to a random number. On the javascript file, check to see if the number is the same, and then erase it. This provides one-time access to the javascript file meaning if the user tried the above work-around, it still wouldn't work. Still not 100% foolproof though. The user is still capable of opening JUST your html page and then the javascript file manually.
Restricting how long the
javascript can be accessed for.
This one is kinda dangerous because it might cause users on slow connections, or javascript files on large pages to not be loaded. Not sure on a complete fix for that yet. Put simply, you set another session var to the current datetime in the page calling the javascript file. Then in the javascript file itself, you just check if it's been more than X seconds since that variable was set. IE in my sample file, I have that variable set to 3 seconds, so anyone trying the above methods to view the script wouldn't be able to after a mere 3 seconds.

Once again, this is by no means foolproof, but it will keep anyone who isn't a fairly decent programmer/designer/developer/whatever from viewing your source code. If you want to see a live example of how this protection works, please take a look at


Other 7 submission(s) by this author


Report Bad Submission
Use this form to tell us if this entry should be deleted (i.e contains no code, is a virus, etc.).
This submission should be removed because:

Your Vote

What do you think of this article (in the Intermediate category)?
(The article with your highest vote will win this month's coding contest!)
Excellent  Good  Average  Below Average  Poor (See voting log ...)

Other User Comments

 There are no comments on this submission.

Add Your Feedback
Your feedback will be posted below and an email sent to the author. Please remember that the author was kind enough to share this with you, so any criticisms must be stated politely, or they will be deleted. (For feedback not related to this particular article, please click here instead.)

To post feedback, first please login.