People have been saying so many good words for HTML5, but one of my main concern is how to protect the source code of my game.
essentially..
"You can't" is the answer to all 3 questions. The only thing you can do is to slow down whoever's interested in your code by ofuscating it, but ultimately, if somebody wants to use your code, there's nothing you can do about it.
i personally use Google Closure Compiler with advanced compression to obfuscate my code (download the Java-file, don't use the online-version!). It takes some extra effort to prepare the code but it's all very well docmented and once you understood how the compiler works it's really easy to comply with its rules. It not only obfuscates your code but actually optimizes it for execution speed and file size as well.
to be clear - yes the other guys are right, no ultimate protection... bla bla. BUT: ever tried to make heads or tails of googles JavaScript? I tried and failed. If you use obfuscated class-names and very few strings in your code it will be very hard to read, meaning it might takes months depending on the complexity of your code.
For API-calls things are different. encryption won't work as the decryption code will be visible within the javascript - even with obfuscation that part will be hard to hide as AJAX code always looks a bit alike... Also encryption uses up CPU time which you probably need elsewhere. Deferring is one way but in the end, API-calls will be more or less readable.
Obfuscating your javascript code could be one important step. Obfuscation can make the code so complex that no sane person would try to hack it.
I have been using jscrambler.com with good results. That said, obfuscation will not solve every problem. Users will still be able to view all the traffic exchanged between the browser and the server. So they will know how the API works and how to use it.
To avoid this you can use encryption of messages using javascript. This could be helpful in securing the content. I found a post on stackoverflow that discuss encryption using javascript: Javascript AES encryption. There are a few implementations that can be used that have a low performance impact.
Last but not least, all inputs should be thoroughly checked on the server side. All logic that can be implemented on the server side should remain there.
You could run your game on a touch screen pc in secure hardware cabinet (like at an Airport) and not make it accessible via the internet. Maybe not the ideal answer you were looking for though.
Ultimately, there is no protection of assets on the web. If you can see it in a browser, you can download it with curl. If protection of assets is a major concern for you, I don't recommend HTML and JavaScript.
You can obfuscate your code to prevent casual theft and use SSL to prevent snooping, but industrious people will still be able to access these assets in other ways.
Minifying your js code will make it much harder to reuse but not impossible
There is no physical ways to copy protect digital files. Many industries have tried. Many have failed. Sadly, many will continue to try and continue to fail, but business seems to have trouble learning from their past mistakes at times.
Best to not focus too much on that. Focus on your customers.
Was asking myself the same question in 2019 as am developing on Babylon....till today there is no bulletproof method to do this, BUT you CAN minimize your risk exposure by getting visitors to register as users , and protect your game code behind a login-level access.
