A potential fix could be to use a secret value instead of Boolean for the variable free. Secret value can be set as an ENV variable and code can be altered so free=SECRET_VALUE would work (of course we would not know what the secret value would be and most likely it would be a hashed value of a word/sentence/key). Logic of free would be if (free === SECRET_VALUE){ does what being true does} else {does what free === false would do}; To make more secure can also add checking to see if user is logged in (token auth perhaps checking cookie is valid, session id etc...), as user should not be able to access paid content without being logged in/authenticated.