/

Domain Lock

Protection ID: domainLock

Domain Lock is a specialized protection feature that restricts your JavaScript code to run only on specific domains or subdomains. This prevents unauthorized copying and deployment of your code on other websites, securing your intellectual property and helping enforce proper licensing.

This protection is available in all editions of ByteHide Shield.

How It Works

Domain Lock adds verification code to your JavaScript that checks if the current domain where the code is running matches any of the allowed domains specified in your configuration. If the code is executed on an unauthorized domain, it will:

  1. Stop normal execution
  2. Optionally redirect the browser to a URL you specify
  3. Prevent unauthorized use of your JavaScript functionality

The domain verification occurs at runtime when the JavaScript loads, making it an effective way to ensure your code only runs in authorized environments.

Domain Lock only works in browser environments and is not compatible with Node.js applications. It's specifically designed for securing web applications.

Parameters

  • Domains string[] : An array of domains or subdomains where the code is allowed to run. [] (empty array) by default

  • Redirect URL string : The URL where the browser will be redirected if the code runs on an unauthorized domain. "about:blank" by default

For root domains with any subdomain, use a dot prefix: .example.com will allow the code to run on example.com, blog.example.com, etc.

For specific domains, use the full domain: www.example.com will only allow the code to run on that exact domain.

Configuration Examples

Basic Configuration (shield.config.json)

{
  "domainLock": ["example.com", "www.example.com"]
}

With Redirect URL

{
  "domainLock": [".example.com", "app.another-domain.com"],
  "domainLockRedirectUrl": "https://example.com/unauthorized.html"
}

Build Tool Integration (Webpack)

// webpack.config.js
const ByteHideShieldPlugin = require('@bytehide/webpack-shield');

module.exports = {
  // ... other webpack config
  plugins: [
    new ByteHideShieldPlugin({
      projectToken: 'your-project-token',
      config: {
        domainLock: [".example.com", "app.secure-site.com"],
        domainLockRedirectUrl: "https://example.com/license-required.html"
      }
    })
  ]
}

Implementation Details

Domain Lock works through a series of checks that verify the current domain against your specified allowed domains:

  1. Domain extraction: Gets the current hostname from the browser environment
  2. Pattern matching: Checks if the current domain matches any of the allowed patterns
  3. Execution control: Prevents normal code execution if the domain doesn't match
  4. Optional redirection: Redirects to your specified URL when an unauthorized domain is detected

The actual implementation uses various techniques to make it difficult to remove or bypass the domain check.

Code Example

While the exact implementation is more complex and obfuscated, the concept behind Domain Lock can be illustrated as follows:

// Original code
function processPayment(paymentDetails) {
  // Payment processing logic
  verifyCard(paymentDetails.cardNumber);
  processTransaction(paymentDetails.amount);
  return { success: true, reference: generateReference() };
}

// Conceptual equivalent with Domain Lock (actual implementation is more secure)
(function() {
  function checkDomain() {
    const allowedDomains = ['.example.com', 'checkout.example.com'];
    const currentDomain = window.location.hostname;
    
    let isAllowed = false;
    for (let i = 0; i < allowedDomains.length; i++) {
      const domain = allowedDomains[i];
      if (domain.startsWith('.')) {
        // Check for domain or any subdomain
        if (currentDomain === domain.substring(1) || currentDomain.endsWith(domain)) {
          isAllowed = true;
          break;
        }
      } else {
        // Check for exact domain match
        if (currentDomain === domain) {
          isAllowed = true;
          break;
        }
      }
    }
    
    if (!isAllowed) {
      window.location.href = "https://example.com/unauthorized.html";
      return false;
    }
    
    return true;
  }
  
  // Original function wrapped with domain check
  window.processPayment = function(paymentDetails) {
    if (!checkDomain()) {
      return { success: false, error: "Unauthorized" };
    }
    
    // Payment processing logic
    verifyCard(paymentDetails.cardNumber);
    processTransaction(paymentDetails.amount);
    return { success: true, reference: generateReference() };
  };
})();

When to Use

Domain Lock is particularly valuable in these scenarios:

  • SaaS applications: Restrict your JavaScript to run only on your official domain
  • Premium scripts: Protect scripts sold to specific customers for use on their domains
  • White-label solutions: Ensure your white-labeled code only runs on authorized client domains
  • License enforcement: Add an additional layer of protection for licensed web applications

For optimal implementation:

  1. Use dot prefixes to include subdomains when appropriate
  2. Set a custom redirect URL that explains why the code isn't running
  3. Combine with other Shield protections for maximum security
  4. Consider including both www and non-www versions of your domains

Compatibility Notes

Domain Lock has the following compatibility considerations:

  • Browser only: Works only in browser environments, not in Node.js applications
  • Local development: Consider adding localhost to your domain list during development
  • Testing environments: Include staging or QA domains if needed for testing
  • CDN deployment: If your JavaScript is loaded from a CDN, the domain check will still verify the domain where the page is running

Domain Lock does not prevent someone from removing the protection entirely, but it makes it much harder to do so when combined with other Shield protections like Self Defending and Control Flow Flattening.

For maximum security, combine Domain Lock with:

Previous
Debug Protection
Next
Console Output Disabling