Domain Lock

Domain lock restricts your JavaScript code so it runs only on the domains you authorize, stopping anyone who copies it from running it elsewhere.

  • JavaScriptJavaScript
Start free
See it in ByteHide Shield
TL;DR

JavaScript ships to the browser, where anyone can copy it. Domain lock binds your code to a list of authorized domains. On any other domain, the code refuses to run. A stolen copy is worthless because it only works where you allow it.

Definition

What is domain lock?

Domain lock is a protection that restricts where JavaScript code is allowed to execute. JavaScript is delivered to the browser as it runs, which means anyone who visits your site can copy it and host it themselves.

Without a restriction, copied code runs anywhere. An attacker can lift your client-side application and deploy it on their own domain, reusing your work directly.

Domain lock prevents this. The code checks the domain it is running on against a list of domains you authorized. On an authorized domain it runs normally. Anywhere else, it refuses to execute.

Mechanism

How domain lock works

Domain lock embeds an authorization check into your code:

  • Domain allowlist. A list of authorized domains is defined when the code is protected.

  • Runtime verification. As it runs, the code checks the domain it is executing on against that allowlist.

  • Configurable response. On an unauthorized domain, the code can stop, break, or behave incorrectly.

The check is woven into the protected code, so it cannot simply be removed.

Example

Domain lock example

Your code ships unchanged. What changes when it loads on a domain you did not authorize is whether it runs at all.

Without domain lock

An attacker copies your JavaScript, hosts it on their own domain, and it runs perfectly, reusing your application for free.

With domain lock

The same copied code checks its domain, finds it is not authorized, and refuses to run.

Without domain lock
function startApp() {
    api.init(window.location.host);
    return ui.render();
}
With domain lock
function startApp() {
    api.init(window.location.host);
    return ui.render();
}

Use cases

When to use domain lock

Domain lock is most useful when your application:

  • Is JavaScript delivered to the browser and at risk of being copied.
  • Represents client-side work you do not want reused on other sites.
  • Should only ever run on domains you control.

It pairs with name obfuscation, control flow obfuscation, and anti-debugging: those make the copied code hard to read, domain lock makes it refuse to run at all.

Platform availability

Domain lock and the JavaScript platform

  • JavaScript

    Exclusive. Domain lock relies on the browser concept of a domain, so it applies to JavaScript. Other platforms control distribution through different protections.

Related

Related Shield protections

Frequently asked questions

What is domain lock?
Domain lock is a JavaScript protection that restricts code to run only on a list of authorized domains, so a copied version refuses to execute anywhere else.
Does domain lock affect performance?
No. The domain check is a small verification that runs without noticeable cost.
What happens when code runs on an unauthorized domain?
The response is configurable. The code can stop, break, or behave incorrectly, so a stolen copy does not work.
Can domain lock be bypassed?
An attacker can attempt to find and remove the check, which is why domain lock is layered with obfuscation and anti-debugging that make the check hard to locate.
Which platforms support domain lock?
Domain lock applies to JavaScript, since it relies on the browser concept of a domain.
10,000+ developers and companies protect their applications with ByteHide

Protect your application with
ByteHide Shield

Domain lock is one of more than 20 protections in ByteHide Shield. Apply it to your JavaScript application.

Start free
Book a demo
ByteHide runtime dashboard showing live threat monitoring and protection metrics