The Content and Tool Protection Playbook for Indie Developers

If you're running an indie site with free tools, open-access content, or anything worth cloning, you need a defense stack. Not an enterprise security program — a realistic set of protections that cost under an hour apiece and catch the threats you'll actually face.

This post is the meta-playbook. Five layers, in the order we'd ship them on a new project. Three dedicated deep-dives cover individual layers; this one connects them and shows why all five together is cheaper than any one of them would be alone.

The five layers

1. Function guards — stop clones from using your API endpoints
2. HTML watermarks — detect clones after they publish
3. Terms of Use — make ownership legally unambiguous
4. DMCA procedure — a filed template ready to send
5. Clone monitoring — automated detection that doesn't require daily check-ins

Each layer catches threats the others miss. Skipping any one leaves a meaningful gap. The whole stack takes about three hours to ship; maintenance is near-zero.

Layer 1 — Function guards (prevent-at-runtime)

Your tool makes API calls: a proxy to fetch pages, a DNS probe, a TLS check, a breach check. Each of those is a serverless function. Each of those functions costs money per invocation. Each of those is reachable by anyone on the internet unless you put a gate on it.

Without a guard, a cloned site that copied your HTML still uses your API keys, your rate limits, your monthly invocation budget. You pay for their traffic.

The guard pattern is three checks at the top of every function handler:

1. Origin / Referer allowlist — 403 anything not from your own domain (or localhost for dev)
2. Per-IP rate limit — simple Map or KV-backed counter with a 1-minute window
3. Optional HMAC token — for high-cost endpoints (HIBP lookups, external API proxies, anything billable per call)

On jwatte.com this lives in a shared _guard.mjs file that every function imports. The check runs in under 2ms and rejects cloned-site traffic before it does any billable work.

The Serverless Posture Audit detects the absence of each guard layer. Paste your function code, read the findings. Also covers the platform-specific wrinkles — Cloudflare Workers use KV for rate-limit state, Deno Deploy uses Deno KV, AWS Lambda uses API Gateway usage plans — so the pattern works on every provider you're likely to deploy to.

Time to ship: 1 hour for the guard module + applying it to every existing function.

Layer 2 — HTML watermarks (detect-after-clone)

A stable, Google-searchable token in every page of your site. When a clone indexes, Google Alerts emails you. You now know the clone exists without having to run an active scanner.

The full pattern and implementation is in HTML Watermark Tokens for Clone Detection. The 30-second version: embed an HTML comment after <body> in your base layout with a random token, ownership language, canonical URL, and a clone-report email. Set up a Google Alert for the token in double quotes.

Time to ship: 15 minutes including setting up the Google Alert.

Layer 3 — Terms of Use (make-ownership-legal)

A one-page terms document that spells out:

• What you own (everything on the site)
• What's permitted (running the tools, reading the blog, sharing with attribution)
• What's prohibited (redistribution, re-hosting, automated scraping beyond a declared allow-list)
• DMCA contact (your name / email / address)
• Attribution request (how to cite you)

Copy the shape from jwatte.com/terms/, change the specifics, link from your footer. Done.

The value here is not legal force — copyright exists without terms — but operational clarity. When you file a DMCA takedown (Layer 4), the notice is stronger when you can link to a specific "prohibited redistribution" clause on your own site.

Time to ship: 20 minutes to copy and adapt.

Layer 4 — DMCA procedure (takedown-ready)

A pre-filled template with six required DMCA elements, placeholders for clone URL and date observed. When Google Alerts fires a real hit, you spend 10 minutes confirming the match and the template turns into a sent notice.

Full walkthrough, template, and safe-harbor mechanics are in DMCA Takedowns and Terms of Use for Developers.

Time to ship: 30 minutes (template + identifying your likely host targets + the ad-network reporting path).

Layer 5 — Clone monitoring (automation-for-the-tail)

Google Alerts catches most clones but has a few-day lag and occasionally misses low-authority domains Google hasn't crawled yet. For aggressive detection you can add:

• Typosquat scan — daily dnstwist run on your domain. Curl each candidate, grep for your watermark token. Alert on any hit.
• Search-API scan — daily cron that hits a search API for "your-token" -site:your-site.com. Alert on any non-empty result.
• Log-based canary — if your function guards are active, any Origin: header that matches your domain pattern but comes from an IP outside your normal traffic shape is a likely clone. Log drains (Netlify Pro) or Cloudflare Workers Logpush feed this.

We haven't shipped the active scanner on jwatte.com yet — Google Alerts has been sufficient. Fly.io or Railway with a cron service would run the script for $5/month.

Time to ship: 2–3 hours for the scanner if you build it. Often worth deferring.

Why all five, not just one

Each layer covers a specific failure mode:

• Guard only — protects your API budget but doesn't stop visual cloning; you never learn you've been cloned
• Watermark only — you learn about the clone but can't stop it from using your API; no legal ammo
• Terms only — ownership is clear but you can't detect or enforce
• DMCA only — you can respond but you never detect, and the clone drains API budget in the meantime
• Monitoring only — you detect but your API is already being abused and you have nothing to file

One layer = one failure mode covered. Five layers = the failure modes work against each other; a clone has to defeat all five to be both undetected and resource-free.

The fast-track ship order

If you have six hours to give this whole topic:

1. First 10 min — generate the watermark token, paste the HTML comment into your base layout, redeploy.
2. Next 10 min — set up the Google Alert.
3. Next 60 min — write the function guard module, apply to every existing function, redeploy. Use the Serverless Posture Audit paste-code mode to confirm each function carries the guards.
4. Next 30 min — write your Terms of Use page. Link from footer.
5. Next 30 min — save the DMCA template. Identify your three most likely host targets (whoever hosts your audience's typical clones — usually Cloudflare, DigitalOcean, OVH, AWS, or Namecheap).
6. Next 2 hours — scan your top 10 pages for issues the Mega Security Analyzer catches (CSP, HSTS, CORS, outdated dependencies) and fix the criticals.
7. Final 40 min — run the Serverless Posture Audit against each of your live function endpoints and fix the Critical + High findings.

That's the whole stack. Three hours of real work spread across six hours of elapsed time (deploy waits, Ideogram generation if you're also building images, whatever). You end the day with a site that's materially harder to clone, easier to defend if cloned, and cheaper to operate because your API is locked to your own Origin.

What you're not getting from this stack

The playbook is explicit about what it doesn't cover:

• DDoS protection at volume — needs Cloudflare or a dedicated DDoS service. The guards here stop casual abuse, not volumetric attacks.
• Bot management at sophistication — residential-proxy bot farms will bypass Origin checks by forging headers. Cloudflare Bot Management (paid) or Turnstile on public forms is the answer there. See Netlify WAF vs Cloudflare.
• Copyright registration — if your content is valuable enough to sue over, register with the U.S. Copyright Office. $65 per work, unlocks statutory damages. This playbook assumes most users aren't at that scale.
• Trademark enforcement — a different legal track. If someone clones your brand (not just your content), you need trademark counsel.
• User-generated content moderation — if your site hosts comments or uploads, you're a service provider with additional obligations beyond this playbook.

The stack is sized for indie builders, tool sites, single-author blogs, and small-team SaaS. It scales up to a point. Past that point, you're hiring security help, not reading blog posts.

Maintenance

Each layer has near-zero maintenance:

• Guards — touch them only when you add a new function. Add guard() to the top of the new handler; reuse the shared module.
• Watermark — never touch. The token stays stable forever.
• Terms — review once a year; update if you add new content types or change what's permitted.
• DMCA template — review once a year; mostly stable.
• Monitoring — Google Alerts is self-maintaining. Active scanners need occasional attention when a search API or dnstwist output format changes.

Yearly total: ~2 hours. For ongoing defense against most practical clone threats, the ROI is absurd.

The underlying point

Every clone that cost me nothing to detect and 10 minutes to take down paid for the entire stack in one incident. The trick is that the layers are cheap; the layers only matter if they're all in place before the clone happens.

If you're going to build an indie tool-and-content business — or already have one and are realizing you've never thought about this — the four supporting deep-dive posts below contain everything you need to ship the full stack this week. For the broader GTM + defense strategy, The $20 Dollar Agency is the $9.99 companion read.

Fact-check notes and sources

• DMCA safe harbor — 17 U.S.C. § 512: copyright.gov/title17/92chap5.html#512.
• U.S. Copyright Office registration (required for statutory damages): copyright.gov/registration/.
• Netlify Functions pricing and rate-limit behavior: docs.netlify.com/functions/overview/ — per-invocation billing model.
• Cloudflare Workers pricing: developers.cloudflare.com/workers/platform/pricing/.
• dnstwist typosquat-detection tool: github.com/elceef/dnstwist.
• Google Alerts documentation: support.google.com/websearch/answer/4815696.
• OWASP Top 10 threat categories (the baseline against which the guard patterns are designed): owasp.org/www-project-top-ten/.
• MITRE ATT&CK tactics and techniques referenced by the Mega Security Analyzer: attack.mitre.org.

Related reading

• Serverless Posture Audit — the tool that checks Layer 1 on every function
• HTML Watermark Tokens for Clone Detection — Layer 2 in depth
• DMCA Takedowns and Terms of Use for Developers — Layers 3 and 4 in depth
• Netlify WAF vs Cloudflare Bot Management — perimeter-layer decision
• Mega Security Analyzer — companion runtime audit for every URL you ship

This post is informational, not legal or security-consulting advice. The playbook is a starting point for indie and small-team builders. If your situation involves active incident response, regulatory obligation, or valuable IP at scale, hire professional help.