Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

Devedge's avatar

Protecting a laravel installation from being used elsewhere

Hello all, I was wondering if anyone had suggestions on the best way to protect a Laravel installation.

Basically, we're developing a system for a client who wants it to run on their own server. Their IT department will handle the installation and maintenance of it.

The client is concerned that someone from the company could potentially grab a copy of the system (and its database) and use it elsewhere, possibly either with a competitor or by setting up their own business (they did have a salesperson leave with a copy of all their customers who then set up their own competing business, so I can understand why they're concerned).

I think what they're looking for is some way for the system to 'phone home', perhaps checking the active domain is the clients (and maybe also checking a file on another server to compare a key?) or something, and if it doesn't validate, locking the system so it can't be used.

Now, I'm sure with a bit of time a seasoned developer would be able to work out what's happening and get round this somehow but we just need a way to make it as difficult as possible for someone to just up and leave with a copy of it, something which can at least give the client some time to handle things legally if time needs to be spent on getting it working by the aforementioned naughty person!

Any suggestions on how to handle something like this would be appreciated. :)

0 likes
7 replies
36864's avatar

Your fifth paragraph illustrates exactly why this is an entirely pointless endeavor, especially because you mention that their IT department will be doing maintenance on the project. That means they need access to the source code, eliminating any code obfuscation solutions. Furthermore, assuming you would somehow gain time from this, that time would be spent before the worker left the company, rather than after. The process would be something like Find code > make it work elsewhere > leave company rather than find code > leave company > make it work elsewhere.

Any steps you take to make the application harder to use elsewhere will also make maintenance more difficult.

The problem your client is facing is handled through legally binding contracts that clearly prohibit employees from just up and leaving with company source code, not with some convoluted DRM solution that will just be cracked by anyone who actually wants to crack it.

Any solution that would, for example, look for a specific file before running code would be easily defeated by just removing that check from the code. If your security can be beaten by a line comment, it's not security.

Any system that would look up a value in a file, environment variable or database, can be defeated in the same way. Even if you manage to somehow hide away the code that actually does the check, it will be found by anyone who's determined enough to actually start their own business.

1 like
Devedge's avatar

Yes, exactly as I thought.

Their IT department actually only consists of three people, basically looking after several Wordpress sites, updating them, handling the email server and other odds and sods relating to the company computers and printers etc. I know for a fact they're not familiar with Laravel, hence why we're making their system.

I was just looking for something to reassure the client a little (he's a bit paranoid now). I suppose I could add something which when a user logs in could maybe do a quick check that the system is running from the correct domain and if not ping a message with the IP address etc so at least they'll get a heads-up that something is amiss.

36864's avatar

You could do that, but what you're offering there is false security. Essentially, a lie.

Make your client understand that they need to choose between being able to maintain the code themselves, or running an obfuscated version of the software. There is absolutely no way to implement DRM and also keep the source code available for maintenance on the server.

Devedge's avatar

Just to be clear, I want to point out that there's no way I'd lie about security to any client, its just that as there's no other way to protect it, if he knows I can set it to ping him a message if it ever goes 'off-server' it'll go some short way of reassuring him… assuming that part is left intact.

Its about peace of mind and, whilst we can't guarantee it, being able to say the system could do this one, small thing to alert him will probably help a little.

Thanks for your reply, its pretty much as I expected, just thought I'd ask the question.

martinbean's avatar

@Devedge Unfortunately you can’t have it both ways. Either the source code is given to the client and then it’s in their hands, or your company hosts the application and the client doesn’t have to worry about it being “stolen”.

36864's avatar
36864
8 years ago
Best Answer
Level 13

Just make sure you very clearly state that what you can guarantee is that your app will "phone home" if someone attempts to run it unmodified, and that there is nothing you can do to prevent modification of the source code if your client still wants access to it.

I know I'm just sounding negative here, but this is the sort of thing you really don't want your client to be able to sue you over when/if someone actually does steal the software.

You can ensure that no unmodified copy of your app will run on any server other than the one you specify, for example, in your .env file. What you cannot ensure is that anyone who has access to the source code will be unable to circumvent any steps you take towards securing the app.

All I know for sure is I don't envy your position. Best of luck.

2 likes
Devedge's avatar

That's exactly what I'll do @36864, its about managing client expectations and making sure your contract is bulletproof.

Thanks for your advice, most appreciated.

Please or to participate in this conversation.