Security

Controlled loading, cleaner signals

inDark now generates protected files with a no-eval loader by default. The code still runs only after server-side token validation, but the generated package avoids the runtime pattern that most scanners and customers distrust.

How the default loader works

  1. The protected file reads the token from the request or the local .token file.
  2. The validator checks the token, payload id, expiration, IP and domain rules.
  3. PHP payloads are decoded into a protected runtime cache and loaded with require.
  4. JavaScript payloads are decoded after validation and loaded through a Blob script URL.

Security measures

Token validation

Payloads run only when a matching server-side token is active.

Restrictions

Tokens can be constrained by expiry, IP address and domain.

Audit logs

Important actions are logged without writing the protected source into audit rows.

Important note

No loader can make distributed source code impossible to inspect. The goal is to raise the cost of copying, keep licensing under your control, and remove red flags that are unnecessary for normal use.

For sensitive secrets, use server-side APIs and environment variables instead of shipping the secret inside a protected file.