There are various hacks about, each one more limited and useless than the others. The simple fact is that you cannot block access to the source code - as browsers need it to render the page. You can prevent some hotlinking, but you cannot effectively block linking to a published resource. This is simply how the web works. Even the right-click scripts are little more than useless and they have the annoying side-effect (when they work) of denying access to all the other context-based menu items.

The thing is that almost any layout is easy to reproduce even without source code. Where the value lies is in the back end processing (server-side scripting), and that is protected anyway.

You can't. Attempting to do so is a waste of your time as a developer and mine as a visitor.

If I felt like lifting your content, I would start by recursively pulling your site using a tool like WGET. This tool directly downloads the content without attempting to display it, or run scripts, leaving me free to view the pages in the editor of my choosing. Whether by browser, spider or raw HTTP, the act of viewing your page gives me complete and unrestricted access to any content you serve. Petty scripting tricks achieve nothing.

When I visit a site, I use the right-click menu to navigate. Denying me the ability to do so (if it were truly possible) would simply make me leave. I habitually select text as I read, and use Firefox, Platypus, GreaseMonkey and Adblock to remove scripts and page elements not of my choosing. Annoying sites are usually the first to get neutered.

So what can you do?

You can scatter copyright assertions and tell-tales in your source code for free. Plugins such as Adobe Reader will give you a limited form of DRM for particularly valuable documents, but are essentially useless for a whole site. If your content is particularly valuable, you should consider protecting it with user authentication and a subscription model.

[edited by: asquithea at 9:53 pm (utc) on June 14, 2005]

Watermark any images, and/or use low resolution versions that are not worth copying.

Another vote for annoying right-click disables. I use them to open the links in a new window.

Something to think about:

Imitation is the highest form of flattery. For everything else, there's legal counsel.

No solution with IE or other commercially available browsers -- as already stated.

A solution follows:

Step 1 -- require users join your site to be able to see any pages at all (other than home, teasers and the signup page)

Step 2 -- write your own browser. Relatively easy to do given the volume of open source components and complete worked examples (like Firefox) that are around

Step 3 -- when a user signs up, require them to download a copy of your browser complete with a personalised encryption key

Step 4 -- serve all pages (other than etc) encrypted according to the key identified in the signon cookie....That means only the registered user can decrypt the HTML stream they are sent

Step 2 in more detail -- ensure your secure browser has no way of viewing the source, or saving page elements

It's a little bit of work sure, and may lose you some visitors. But if your content needs protecting, it's the only way.

You won't have heard of many sites doing this; but I can guarantee you also do not have copies of their source.

If you don't want your designs lifting or your content to be stolen, you'll have to find an alternative medium. The internet, and www in particular, were built specifically to share information, not to block access to it.

An email subscription might be an alternative - but even then, those who subscribe could still get at it.

Personally? If I were that paranoid, I'd publish a magazine instead of a website ...

No solution with IE or other commercially available browsers -- as already stated.
A solution follows:

# Step 1 -- require users join your site to be able to see any pages at all (other than home, teasers and the signup page)

# Step 2 -- write your own browser. Relatively easy to do given the volume of open source components and complete worked examples (like Firefox) that are around

# Step 3 -- when a user signs up, require them to download a copy of your browser complete with a personalised encryption key

# Step 4 -- serve all pages (other than etc) encrypted according to the key identified in the signon cookie....That means only the registered user can decrypt the HTML stream they are sent

# Step 2 in more detail -- ensure your secure browser has no way of viewing the source, or saving page elements

It's a little bit of work sure, and may lose you some visitors. But if your content needs protecting, it's the only way.

You won't have heard of many sites doing this; but I can guarantee you also do not have copies of their source.

For what it's worth, what you're describing is effectively DRM, and it has the same flaw that all such systems have: You are giving the user both the cypher-text and the key to decrypt it. Guaranteed failure. It really isn't worth the expense.

We're trying to disable the View Source option on the IE browser. I don't like having my designs lifted. I also don't want people to hotlink or create outside links to images within their portfolios. We diabled right clicking already. Any help?

The simplest way is to completely redesign your site in Flash. But I'm not sure how easy it is to reverse engineer a Flash site. But there is no real way to prevent people from seeing the source of an (x)HTML file.

Flash or Java will both obscure the inner workings. But where is the love? Isn't this the internet where we all share music, ideas, and information?

^ ^ LOL . . . .

Wasn't it MacArthur that said "The only thing that's new is what you don't know about history."?

"Information wants to be free because it has become so cheap to distribute, copy,
and recombine -- too cheap to meter. It wants to be expensive because it can be
immeasurably valuable to the recipient. That tension will not go away. It leads to endless
wrenching debate about price, copyright, intellectual property, the moral rightness of casual
distribution, because each round of new (technological) devices makes the tension worse,
not better."
- Stewart Brand
publisher: Whole Earth Catalog
founder: Whole Earth 'Lectronic Link (WELL)

"The main question about intellectual property is not 'can I protect it' - rather, it is
'can my potential audience find it in today's flood of information."
- John Perry Barlow
lyricist for The Grateful Dead
(paraphrased)

Barlow is quite worth reading and re-reading. Here's a Wired article from 1994 that
sounds mighty farsighted to me:
Everything you know about intellectual property is wrong [wired.com]

"The main question about intellectual property is not 'can I protect it' - rather, it is
'can my potential audience find it in today's flood of information."

The Wild West.

Flash or Java will both obscure the inner workings. But where is the love? Isn't this the internet where we all share music, ideas, and information?

Some people wants to share their content, but they don't what you to take a photo of it and take it home with ya.

wow - Thank you everyone!
after all the great feedback on webmasterworld, we decided to just truncate the whitespace and make it a little harder. I had someone come through a copy over 3 thousand images a couple years ago, and other folks doing mail relays, so I'm pretty gung ho for security and prevention (and a fair bit paranoid!). Also, good information design IS proprietary. when you sit in a double wide for three weeks and create some intellectual property (that takes 8000 more hours to develop) - you don't feel like letting anyone copy it, front end or back end.

If you are really serious about securing your webpage, the best you can do is make it more difficult for someone to copy your page source with following:
1. Open page to secure in popup window without menubar. Code to open popup:
window.open(path, 'hideme', 'scrollbars=yes,status=no,toolbar=no,location=no,menubar=no,left=0,top=0,width=800,height=600,resizable=yes,fullscreen=no');
2. Redirect if page does not open in expected popup window.
3. Allow only IE. For further security from other crawlers/softwares allow only logged in users to view page.
4. Disable right click.
5. Expire page from history
------------------
More in Script:
------------------
<%
Response.CacheControl = "no-cache"
Response.AddHeader "Pragma", "no-cache"
Response.Expires = -9

If InStr(Request.ServerVariables("HTTP_USER_AGENT"), "MSIE") > 0 then
'Allow
else
'Disallow
Response.End
end if
%>
<html><head><title>Hide</title>
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Expires" CONTENT="-1">
<noscript>
<meta http-equiv="refresh" content="0; URL=http://www.yoursite.com/redirecturl.asp">
</noscript>
<script language=javascript>
<!--
//Ensure page opens only in its popup window
if (window.name!= 'hideme')
{
window.document.location.replace("redirecturl.asp");
}
//disallow Ctrl + C and other keys
function KeyDownDisable(e){
var keycode,strkeycode;
keycode = window.event.keyCode
if (keycode == 67 ¦¦ keycode == 88 ¦¦ keycode == 82 ¦¦ keycode == 83 ¦¦ keycode == 80){ //Ctrl + C, X, R, S, P
if (window.event.ctrlKey) {
window.event.keyCode = 123;
}
}
}
document.onkeydown=KeyDownDisable;

//Disable right click
function mischandler(){
return false;
}
document.oncontextmenu = mischandler;
//Disable right click
function right(e) {
if (navigator.appName == 'Netscape' && (e.which == 3 ¦¦ e.which == 2))
return false;
else if (navigator.appName == 'Microsoft Internet Explorer' && (event.button == 2 ¦¦ event.button == 3))
{
alert("Right click is not allowed on this page.");
return false;
}
return true;
}
document.onmousedown=right;
document.onmouseup=right;
if (document.layers) window.captureEvents(Event.MOUSEDOWN);
if (document.layers) window.captureEvents(Event.MOUSEUP);
window.onmousedown=right;
window.onmouseup=right;
// End -->
</script>
</HEAD><BODY leftMargin=10 topMargin=10 marginheight=0 marginwidth=0>

</body>
<HEAD>
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Expires" CONTENT="-1">
</HEAD></html>

Sorry, but that wouldn't stop me 3 seconds, nor anyone else that knows anything about how browsers work.
I would only use such techniques in a site that does transactions and you want to avoid users using the back button and accidentently resubmitting requests.
No matter what you do, the browser DOWNLOADS your page.
So methods to defeat the above include
1) Look at the page in cache
2) Disable Javascript, and look for the URL to load from the first page and type that into your browser.
3) Use a tool to fetch the HTML code.

Regarding your points:
1) Look at the page in cache
>> If you look at the code, it expires page from cache. Only URL is stored in browser history. Clicking on URL in history fetches page from server. Moreover if window name does not match, it redirects (the redirect page can be used ban username/ip address).
2) Disable Javascript, and look for the URL to load from the first page and type that into your browser.
>> The meta refresh within <noscript> tag takes care of this.
3) Use a tool to fetch the HTML code.
>> The asp code ensures only IE will get HTML. Login and cookie checks will further secure your page from such tools.

Any more hacking tricks, let me know :)
I already know one: Using a tool which uses MSIE as HTTP_USER_AGENT, stores cookies (for login session), does not execute Javascript and <meta refresh> tags, and couple more things. But such tool can be tested with some more code and using few redirect files after login, javascript and metarefesh redirects with timers, auto form submits with redirect files enabling and checking session variables, checking HTTP_REFERER, etc. etc. to check if the software requesting the page indeed has the power of IE. If redirect url file is used to ban username/ip address when malicious request is detected, such tools may fail in testing phase itself, making it more difficult to test. If you can write such a tool, fake HTTP_REFERER, auto request pages in correct sequence, correct form data and cookies you deserve our HTML :)

I know popup window, login and other requirements of this code will not fit most web pages. This code will be helpful only in situations where you want to display important data to your logged in users, but you don't want them to view source.

The <noscript> tag redirects if JavaScript is disabled. After the page loads in popup window you can not disable JavaScript because there is no toolbar. If you use toolbar of another window, JavaScript still remains enabled in the popup window. Only way is to refresh popup window, but then <noscript> redirects.

Total waste of time, If I want it bad enough no browser trick will stop me.

Quick and dirty just hit the command line on my Linux box and use CURL to yank your HTML.

Only IE gets HTML.

Anyways, lets stop it all here.

>> Only IE gets HTML. <<

... so page will never be indexed by any search engine either then.

User Agent is incredibly easy to fake - Firefox has an extention to change it in a couple clicks just to bypass stupid IE hacks like this, for example.

tedster, that's a good link, thanks. Too bad the wrong people have been given the right to make the wrong decisions for the wrong reasons.

The greatest constraint on your future liberties may come not from government but from corporate legal departments laboring to protect by force what can no longer be protected by practical efficiency or general social consent.

Furthermore, when Jefferson and his fellow creatures of the Enlightenment designed the system that became American copyright law, their primary objective was assuring the widespread distribution of thought, not profit.

The whole idea of intellectual property is a joke to me, but it's a joke that unfortunately we've been trained to accept as serious. Any more comments and I'll be drifting hopelessly offtopic, but tedster started it, LOL...

Only IE gets HTML.

So in order to make your website "secure," not only do you make your website generally user unfriendly, but you also make your site unsearchable by the indexing spiders and you lock out 15% and growing of your potential audience. Might as well not put the webpage up at all.

I never said this page is meant for search engine crawlers; remember login page comes before it and that's where crawlers stop. The code is certainly bad to use on normal pages. It will be helpful only in tipical situations, in my case: Client sells a database of more than 1 million records (of leads), and wants to display 5K of those records as sample, but insists to make it difficult for people to easily copy even the sample data.
Of the more than 100 sites I developed this was the first time I faced such a situation where user-friendlyness does not matter much for the client.
The idea is cancelled now, comments in this forum were part of my convincing to client :)
Thanks all.

My source code (straight html) may seem primitive to some of you, but to me its artwork.

I hope people will see it, even copy it, as long as they don't scrape content or images.

Remember that painting of a Campbell's soup can that got famous?
Maybe my html code will get painted up some day. Then again, maybe not. -Larry

Jalinder:

Here's an idea that's a bit more user-friendly - stick the information you don't want copied into images. It would be pretty easy to use PHP and auto-generate the images, or you could take screenshots of it typed out, or something like that. The filesize as black and white GIF or PNG should be pretty small, so load time shouldn't be horrible. Essentially, it would be kind of like those auto-image-generators used for account verification at a lot of websites (though you probably won't want to mangle the text, just having it in the image should serve your goal).

Still not a particularly good web development practice to change all your text into images, but far better and probably a bit more reliable at keeping people from copying and pasting the info then the weird javascript stuff :)

another way round the problem would be to encrypt the html. This would not stop people looking at the source but when they viewed it it wouldn't make any sense. However I am not sure how this would affect spiders. But it could be an option for pages you don't want listed in search engines.