I've a rather odd requirement: I want users to be able to verify the live source code of a web app before they input data or extract data from it.
Or, on a more higher level, the users need to be reasonably assured of what is being done (and not done) in the back end. Of course, if you inspect the stream from a process external to the web server, this becomes a useless exercise. But I only need a reasonable level of assurance.
What are the options? I'm willing to use pretty much any server side language/platform, provided it serves the purpose better than the alternatives. It cannot be a method that can be used to easily spoof the source code -- there has to be some assurance that the code is live and not a separate copy (something equivalent to making /var/www/app and apache conf world-readable, but not exactly).
Update: this should be read-only
Giving them access to your Git sources is simple and straightforward. If you cannot convince them that you deploy what you show, you lose anyway. There is no way to prove that with a more convoluted system either (short of giving them write access!)
No server-side solution will do. If the users don't trust the server to begin with then showing them some code will not convince them that the code is actually what processes their input, or that no one is listening in on the traffic or on the server-side process.
If the server is not a trusted platform as far as the users are concerned, then you will have to execute the code somewhere the users do trust. On a trusted 3rd-party, or even better on the user's machine itself. Be that as a downloable module they can inspect and run themselves (something interpreted, most likely, like Python or node) or even better: in their browser.