Why “hiding” source code is bad.

I’ve been working at my current employer for about 5 months now and since I started, I have been involved in or heard this conversation more than 10 times, which is 10 times more than I’ve heard within the past 7 years I’ve been doing web development. The client wants their source code hidden from public view.

Let me first explain where I feel the communication has failed. The client says “Source code”, however they may mean “Application code”. To the client, when they “View Source”, they may not know exactly what they are looking at, all they see is code. If they don’t understand the difference between HTML code and Server side code (PHP/.NET/JSP), they feel like the code that makes their site work could be compromised. It is imperative that the client understand the difference between these 2 types of code and that their server side source code is safe.

Moving forward, if they completely understand the above information, here are some of the reasons clients may want their source code hidden, some of which are very valid requests, in my opinion, however their lack of knowledge on the subject limits their ability to come up with real solutions to the problems.

  • Their site is unique, and they don’t want it replicated.
  • They have login forms on their site they want to protect even further.
  • Robot/Spam prevention
  • and the number one reason: Phishing Protection

There are plenty of good reasons to protect your website from the things mentioned above, however trying to hide the source code is not the solution. The current measures on the web for hiding the source code is as follows, in order from least effective to most effective:

  1. Disable Right Click
  2. Adding X number of blank lines at the top of the source code.
  3. Using a Javascript Source encrypter to change the way the rendered source looks. – There are many different versions of this out there.
  4. Design entire site in Flash
  5. Design entire site in Java
  6. Restrict access to your site to only users with HTTP Authorization
  7. Remove your website from the internet

Obviously the last 4 are quite ridiculous, however I felt the need to mention them due to the number of times I’ve tried convincing clients how ignorant trying to hide the source code is. Here is why all the items above are bad:

  1. Easy to get around, doesn’t stop Menu commands and keyboard shortcuts, loses functionality on your website.
  2. Will only foil CEOs and Bigwigs, not the actual people you’re trying to protect the code from.
  3. Slows down site, fails horribly, DOM source still easily visible.
  4. Probably the “best” solution, but costs a bit more, and doesn’t prevent screenshots, not SEO friendly
  5. Costs a whole lot more, requires all visitors to have Java plugin installed
  6. Requires everyone to log into the site before doing anything.
  7. Makes it impossible for visitors to get to your website.

After discussing this several times in the past few months, I could go on and on listing reasons against these practices, however to be a bit more practical, let’s take a look at some companies that would do this if it was at all worth it:

If you’ll notice, none of these websites are practicing any of the methods mentioned above. There’s good reason. Because they are useless. They do nothing but slow down your visitors experience to get what they came to your site for. It’s my understanding that the ultimate goal of web design is to attract visitors to your site, and by doing the things mentioned above, you would be driving traffic away from your site.

Here’s a page that has more information on this subject and further explains how unnecessary these attempts are.

Are there any developers or web shops out there running into this problem, particularly with credit unions or financial institutions?

One Response

  1. Elizabeth Phillis

    I dispise the phishing emails these people seem to get more determined by the day I recieve 2 or 3 every single day and report them to phishtrackers a web site I stumbled upon that lets you submit them anonymously.

Write a Comment