I am in the process of converting over a private plugin and was curious about strategy for securing my front-end codebase.
I would like to use a very minimal server-side layer, with most of the API being driven by the Confluence JS API directly from the client. The downside is that all of my JS code is exposed to the clients. To get around this, I can create my own API and call the confluence API from the server. This is both more work for me to write, inefficient for response times, and less scalable that having code execute in the client (though maybe these last two are negligible).
Is there a way to secure at least portions of my front-end code, or is creating a pure client-side plugin going to make all of my code public?
If you’re really scared about someone stealing your frontend you could always obfuscate your JS.
I thought about that and it might be a nice interim solution initially (and should do anyway for code-size), though it still isn’t exactly “secure”.
Well, if someone really wants to steal your JS, they’ll probably find a way to do it. 
If you need to do super secret calculations you should just put them in your backend, as you already pointed out. However, there’s only so many things one can do with the Confluence Cloud REST API. Whatever you do, someone that has built one or two cloud apps before will probably be able to “reverse engineer” the API calls you’re making more or less easily.
True also. Well, I think the key is to write it first and then see about the rest. Thanks for your input.
1 Like