My company rents a Debian server to the clients, that they have to connect to their own network.
The server provides various services, an administration interface, and connects to the online service of my company.
As the client has access to the computer running these services, he can read their source code on the hard drive. A malicious user can search for security vulnerabilities, and it may help to reverse engineer the online services.
How can I protect the source code from the client?
The source code is in PHP, and some users have a root account on their servers (soon to be removed)