Domain Lock

Potency Medium
Resilience Medium
Cost Medium
Tags: domain, lock, IP, code lock


Domain Lock locks code to a specific domain name or IP address. This is a good transformation to avoid someone stealing the protected code and running it on their own domain or locally. This is also a good transformation to enforce license agreements. Countermeasures can be specified (optionally) to be executed when the code runs in any other domain/IP.

Consider combining this transformation with obfuscation transformations to harden the resulting code making it more resilient to automated de-obfuscator tools and harder to understand by a human. You may also find useful to combine this transformation with other locks:

Input Examples

  • - Code will break if not running inside the domain
  •, - Code will break if not running inside either or
  • * - Code will break if not running inside of its sub-domains
  • ? - Code will break if not running inside or one of its sub-domains
  • 192.168.* - Code will break if not running in an IP inside the 192.168. network
  • file://Users/you/* - Code will break if not running inside your user directory

Code Annotation Example

// @jscrambler define domainLock {domains: [], countermeasures: {breakApplication: 1, customCallback: report.callbackFunction}} as dl1
// @jscrambler enable dl1

Option Types

Name Required Default Value Description
domains Yes N/A List of domains/IPs where the code is allowed to run (Supports wildcard to match sub-domains, IP network, and IP host range).
countermeasures Yes {"deleteCookies": false,"breakApplication": true,"realTimeNotifications": false,"dataExfiltrationPrevention": false,"selfDestruct": false} List of available countermeasures


Name Description
customCallback Name of the function to be called as a countermeasure.
deleteCookies Deletes all the cookies accessible via JavaScript.
redirect Redirects the user to a specific URL.
breakApplication Breaks the application's functionality.
realTimeNotifications Sends a notification when a violation occurs.
dataExfiltrationPrevention Prevents a malicious actor from carrying out an unauthorized data transfer by blocking network requests.
selfDestruct Attempts to damage the state and behavior of the application and/or the environment that is running the application.

Browser Compatibility

Browser Compatible Versions Tested Versions Notes
Chrome 80+ 80+
Firefox 80+ 80+
Internet Explorer 9+ 8+
Microsoft Edge 111+ 111+
Safari 12.1+ 12.1+

API Parameters


  "keys": {
    "accessKey": "XXXXXX",
    "secretKey": "YYYYYY"
  "applicationId": "ZZZZZZ",
  "params": [
      "name": "domainLock",
      "options": {
        "domains": [
        "countermeasures": {
          "customCallback": null,
          "deleteCookies": false,
          "redirect": null,
          "breakApplication": true,
          "realTimeNotifications": false,
          "dataExfiltrationPrevention": false,
          "selfDestruct": false