How do I encrypt the source code on the webserver?

Question

I have a web application developed using Python, HTML, CSS & JavaScript.

The customer installs it in any of their own Machine and uses it through their LAN. In short the customer sets up the webserver in any of their own machine.

Since its a web application, all the source code is open for the customer in the document root directory of webserver. I want to encrypt the whole source code in the document root directory in such a way that it should not effect the working of the web application.

Is there is any way to encrypt the Python, HTML, CSS & JavaScript for this purpose.

See http://stackoverflow.com/questions/576963/python-code-obfuscation for possibilities to obfuscate python — user281377, Jan 12 '12 at 11:12
"the customer sets up the webserver in any of their own machine" Are you saying they download a package and install that package? Are you saying that this application is both the package they download **and** a working web application **at the same time**? That seems very strange. Why isn't their download an encrypted ZIP archive? — S.Lott, Jan 12 '12 at 11:59
The customer downloads a package or exe based on the platform and installs it. During installation all the files are automatically copied into the webserver's document root. This application also comes with another app written in c, The webapplication actually communicates with it. The whole web app and c app all are in a single package. And one time installation. — ASKN, Jan 12 '12 at 12:39
Its not really possible to encrypt HTMl, CSS, and JavaScript. I am sure there is a method to protect Python code. — Ramhound, Jan 12 '12 at 12:44
If you encrypt the modules, then you will have to decrypt the module at runtime, which will slow down your application. As a reference, try looking at the 'this' module in Python, and how it functions. — c0da, Jan 12 '12 at 12:49
@S.Lott He wants to encrypt the source code so that customers are not able to see it. Am I right Ashin? And you are suggesting him to give an encrypted zip of source code. One possibility might be to read (encrypted) zip everytime though. — c0da, Jan 12 '12 at 12:53
Although you cannot really encrypt HTML, CSS and JavaScript, if you store them encrypted and decrypt them in the Python program, the customer can still see them (e.g. in the browser), but not easily tamper with them - an effect you might want. — user281377, Jan 12 '12 at 14:41
@ammoQ: However, with a teeny bit of motivation the customer can get everything decrypted, given that the customer has the ciphertext, the decryption module, and the key. I think obfuscation is as close as the OP is going to get. — David Thornley, Jan 12 '12 at 17:18
David: In theory, you could use an asymetric encryption so the customer still can't change the HTML files (in a sensible way) without also tinkering with the python program. — user281377, Jan 12 '12 at 19:12

score 20 · Accepted Answer · edited Apr 12 '17 at 07:31

Once your customer has a program they can run, they will be able to reverse engineer it given sufficient time & skill. That is just a fact of life.

If you really want to stop it, you should host and run the software yourself (SaaS)

Having said that, something like Python will be easier than C. Let's split this into the 3 parts you asked about (and then some more)

HTML

No matter what you do here, it will be decrypted in the browser (even in the SaaS model), so encrypting it on the server is pointless. Even minifying is pointless as modern browsers like Firefox and Chrome will neatly format it for them.

CSS

See above - don't waste your time

Javascript

Yahoo has a tool that can obfuscate it for you. Try YUI Compressor. Not, don't both encrypting this on the server-side as it must be served to the client unecrypted*, which would defeat the purpose.

Python

This is the only place you really want to spend your time - protecting your business logic. There are several methods you will find on google such as encrypting on disk and then decrypting at run-time. All these methods have problems, such as performance hits and having to supply the decrypter (hence enabling them to decrypt it anyone).

Your best beat to stop those not hellbent on stealing your code would be to use an obfuscate your Python code.

Summary

The only code you can stop someone from getting is the code you don't give them. HTML, CSS & Javascript will always end up on your users machine in a manner they can use, so assume they be able to steal it if they want, tough luck.

To protect your server code, the only sure-fire method is to NOT give it to them, running it in something like a SaaS model.

If that isn't possible, the best you can do is make it harder for them.

Testing

Always make sure you test on the production version you will be supplying your customers. This ensures any special build steps (such as obfuscation & minification) do not break your software.

Boring Business Stuff

So all of the above (and your question) has addressed this issue from the technical side. The other side of the coin is from the business/legal side.

If you have a small number of clients you can provide different "watermarked" versions of your software to each client. By doing this, you increase the possibility being able to track stolen software back to the source and take whatever legal action is appropriate.

Don't forgot, if you are in a serious business, you would be best to consult a lawyer on how you can prove and enforce the ownership of your software, should things go wrong.

* not strictly true, you could serve it encrypted and have other Javascript decrypt it on the fly, but this would be near pointless as it adds a performance hit and you will have to supply the attacker with the decrypter anyway...

I would add that he should be careful if he's using any reflection in Python because obfuscation could potentially cause problems. Most "reflective" languages a tough sale for obfuscation because of the type information available at run time. There are some decent solutions here http://stackoverflow.com/questions/261638/how-do-i-protect-python-code but most recommend against it. I'm not familiar with reflection in python but here's a source for reflection/obfuscation hurting obfuscation in Java http://en.wikipedia.org/wiki/Obfuscated_code#Disadvantages_of_obfuscation — brian, Jan 12 '12 at 14:43
Thanks @brian, I added a generic **Testing** section which sort of covers that now — Dan McGrath, Jan 12 '12 at 15:23

score 5 · Answer 2 · answered Jan 12 '12 at 14:26

No.

HTMl, CSS, and JavaScript Cannot be encryption as the Browser needs to read it as Plain text. The best you can do is Obfuscate it.

For Python you could compile it into a DLL, so you are not outright giving the client the source code. But is can still be De-compiled.

For Arguments Sake, lets say provided a Custom Web server for your clients to use this Custom Web server reads Encrypted Python files then compiles and runs them. A hacker could still De-compiled the Custom Web server and get full access to the decryption module and the Encryption keys.

If you Code (or data) in any form, is on someone else hardware, The code can be stolen.

My proof of this : Just look at all the warez sites, everything gets hacked.

I agree the code can be broken. But atleast i want to make it little difficult for them to get the code. — ASKN, Jan 14 '12 at 13:49

score 2 · Answer 3 · answered Oct 26 '13 at 13:39

As for Python, there are a number of ways to tackle this but you will need to do some of the heavy lifting. Here are some thoughts:

zip file containing just the .pyc files. This would mean you would need to either dictate the exact Python version and architecture or provide multiple .zip files, one for each architecture that you are supporting.
PEP 302 introduced the importlib that will allow you to integrate your own custom importer. Examples that need custom importers are py2exe, freeze, etc. You should be able to integrate your own importer to read encrypted zip files or whatever format though you'll probably want to put some of that code into compiled C as your own module.

As for Javascript, if you mean client side, then no. But for node.js, you could do some work on the V8 engine where you load/save the compiled version of Javascript (similar to a .pyc) if available instead of using source. You'll probably need a C developer to do that work and it may require patching to specific versions of node.js.

How do I encrypt the source code on the webserver?

3 Answers3