64

Is there any way to hide or encrypt JavaScript code to prevent people from viewing, copying, and/or modifying proprietary programs?

Samuel Liew
  • 76,741
  • 107
  • 159
  • 260
  • Try this link: http://stackoverflow.com/questions/6869312/how-do-i-hide-javascript-code-in-a-webpage/13262948#13262948 -Jepp – Jepp Nov 07 '12 at 04:22

7 Answers7

94

You can obfuscate it, but there's no way of protecting it completely.

example obfuscator: https://obfuscator.io

Sev
  • 15,401
  • 9
  • 56
  • 75
  • It works fine and returns no errors by default options. Thank you! –  Aug 08 '13 at 02:20
  • Use Encode.js : encodejs.devincity.com – nachshon f Apr 30 '17 at 17:36
  • You can completely hide it from the source view, but it will be visible using some advanced knowledge with Chrome Inspector, or other tools. – Lucian Minea Mar 07 '18 at 10:25
  • if I save YouTube video URL in variable and after user enter right password the URL will enter in Iframe. THE question is will it secure youtube url in source code as well as chrome inspector. i want that the user can only see video in my website and unable to copy url ? But i want to do this with JavaScript or PHP – muhaymin khan Mar 17 '21 at 12:29
  • Created an HTML Obfuscator using JavaScript, it obfucates script as well. Created this quite a while ago, over 10 years ago, you can use it freely on my archival server. http://vps-net.com/internet-development-tools/html-data-obfuscation-web-tool.php#FirstStep – DoctorLouie Jul 03 '22 at 07:25
  • If you were to obfuscate code that absolutely depends on running at a specific domain (for example all Json files parsed from server are decrypted using a key derived from location.origin), and you use a decent obfuscator, assuming you own the domain, you can lock it down, right? – unsynchronized Dec 09 '22 at 18:34
8

No, it's not possible. If it runs on the client browser, it must be downloaded by the client browser. It's pretty trivial to use Fiddler to inspect the HTTP session and get any downloaded js files.

There are tricks you can use. One of the most obvious is to employ a javascript obfuscator.

Then again, obfuscation only prevents casual snooping, and doesnt prevent people from lifting and using your code.

You can try compiled action script in the form of a flash movie.

Alan
  • 45,915
  • 17
  • 113
  • 134
6

While everyone will generally agree that Javascript encryption is a bad idea, there are a few small use cases where slowing down the attack is better than nothing. You can start with YUI Compressor (as @Ben Alpert) said, or JSMin, Uglify, or many more.

However, the main case in which I want to really 'hide stuff' is when I'm publishing an email address. Note, there is the problem of Chrome when you click on 'inspect element'. It will show your original code: every time. This is why obfuscation is generally regarded as being a better way to go.

On that note, I take a two pronged attack, purely to slow down spam bots. I Obfuscate/minify the js and then run it again through an encoder (again, this second step is completely pointless in chrome).

While not exactly a pure Javascript encoder, the best html encoder I have found is http://hivelogic.com/enkoder/. It will turn this:

<script type="text/javascript">
//<![CDATA[
<!--
var c=function(e) { var m="mail" + "to:webmaster";var a="somedomain"; e.href = m+"@"+a+".com";  
};
//-->
//]]>
</script>
<a href="#" onclick="return c(this);"><img src="images/email.png" /></a>

into this:

<script type="text/javascript">
//<![CDATA[
<!--
var x="function f(x){var i,o=\"\",ol=x.length,l=ol;while(x.charCodeAt(l/13)!" +
"=50){try{x+=x;l+=l;}catch(e){}}for(i=l-1;i>=0;i--){o+=x.charAt(i);}return o" +
".substr(0,ol);}f(\")87,\\\"meozp?410\\\\=220\\\\s-dvwggd130\\\\#-2o,V_PY420" +
"\\\\I\\\\\\\\_V[\\\\\\\\620\\\\o710\\\\RB\\\\\\\\610\\\\JAB620\\\\720\\\\n\\"+
"\\{530\\\\410\\\\WJJU010\\\\|>snnn|j5J(771\\\\p{}saa-.W)+T:``vk\\\"\\\\`<02" +
"0\\\\!610\\\\'Dr\\\\010\\\\630\\\\400\\\\620\\\\700\\\\\\\\\\\\N730\\\\,530" +
"\\\\2S16EF600\\\\;420\\\\9ZNONO1200\\\\/000\\\\`'7400\\\\%n\\\\!010\\\\hpr\\"+
"\\= -cn720\\\\a(ce230\\\\500\\\\f730\\\\i,`200\\\\630\\\\[YIR720\\\\]720\\\\"+
"r\\\\720\\\\h][P]@JHADY310\\\\t230\\\\G500\\\\VBT230\\\\200\\\\Clxhh{tzra/{" +
"g0M0$./Pgche%Z8i#p`v^600\\\\\\\\\\\\R730\\\\Q620\\\\030\\\\730\\\\100\\\\72" +
"0\\\\530\\\\700\\\\720\\\\M410\\\\N730\\\\r\\\\530\\\\400\\\\4420\\\\8OM771" +
"\\\\`4400\\\\$010\\\\t\\\\120\\\\230\\\\r\\\\610\\\\310\\\\530\\\\e~o120\\\\"+
"RfJjn\\\\020\\\\lZ\\\\\\\\CZEWCV771\\\\v5lnqf2R1ox771\\\\p\\\"\\\\tr\\\\220" +
"\\\\310\\\\420\\\\600\\\\OSG300\\\\700\\\\410\\\\320\\\\410\\\\120\\\\620\\" +
"\\q)5<: 0>+\\\"(f};o nruter};))++y(^)i(tAedoCrahc.x(edoCrahCmorf.gnirtS=+o;" +
"721=%y;++y)87<i(fi{)++i;l<i;0=i(rof;htgnel.x=l,\\\"\\\"=o,i rav{)y,x(f noit" +
"cnuf\")"                                                                     ;
while(x=eval(x));
//-->
//]]>
</script>

Maybe it's enough to slow down a few spam bots. I haven't had any spam come through using this (!yet).

cmroanirgo
  • 7,297
  • 4
  • 32
  • 38
  • 1
    Another alternative is https://cloakedjs.com/ which obfuscates, encrypts, and adds debug prevention and domain locking. Still not 100% secure ... but then again, it is in a browser. – AnyWhichWay Jun 10 '20 at 20:25
5

One of the best compressors (not specifically an obfuscator) is the YUI Compressor.

Sophie Alpert
  • 139,698
  • 36
  • 220
  • 238
3

JavaScript is a scripting language and therefore stays in human readable form until it is time for it to be interpreted and executed by the JavaScript runtime.

The only way to partially hide it, at least from the less technical minds, is to obfuscate.

Obfuscation makes it harder for humans to read it, but not impossible for the technically savvy.

BakerTheHacker
  • 344
  • 2
  • 2
2

The only safe way to protect your code is not giving it away. With client deployment, there is no avoiding the client having access to the code.

So the short answer is: You can't do it

The longer answer is considering flash or Silverlight. Although I believe silverlight will gladly give away it's secrets with reflector running on the client.

I'm not sure if something simular exists with the flash platform.

Andrew Harry
  • 13,773
  • 18
  • 67
  • 102
2

If you have anything in particular you want to hide (like a proprietary algorithm), put that on the server, or put it in a Flash movie and call it with JavaScript. Writing ActionScript is very similar to writing JavaScript, and you can communicate between JavaScript and ActionScript. You can do the same with Silverlight, but Silverlight doesn't have the penetration Flash does.

However, remember that any mobile phones can run your JavaScript, but not Silverlight or Flash, so you're crippling your mobile users if you go with Flash or Silverlight.

Nosredna
  • 83,000
  • 15
  • 95
  • 122
  • 10
    Just in case anyone sees this and doesn't realise it's not 2009 anymore, don't do this. Flash and Silverlight are now pretty much dead. – Liam May 08 '18 at 14:02