9

I have some JavaScript code I need to encrypt, but I want to be sure no one can decrypt it.

What tools can I use to do this?

-- Edit --

I still want to run the code on my site, I just want to make sure no one else can decrypt the code.

James Skidmore
  • 49,340
  • 32
  • 108
  • 136
  • 15
    By chance, do you still want to run the code? I mean, would you like browsers to be able to decrypt it? – Frank Schwieterman Jan 13 '10 at 23:04
  • 2
    If you haven't written your javascript yet, I think GWT is pretty illegible. – Tom R Jan 13 '10 at 23:05
  • Yeah, essentially I'm going to be running the code on my site, but I want to make sure no one else can take it and run it on theirs. To do so, I'm going to include code that will double-check the domain before running the script, but I obviously need to encrypt that or else they can just change the domain name. – James Skidmore Jan 13 '10 at 23:06
  • You can't do that in Javascript because the client browser must be able to decrypt the code to run it. You have a certain amount of theoretical protection, though, that Javascript code is publicly visible on a web site, and you could search for your script and sue whoever is using it illegally. In practice, that may be a more difficult thing to do than it sounds, but it will scare off at least commercial web sites. – Pekka Jan 13 '10 at 23:16
  • 4
    The term you're looking for is *obfuscation*, not encryption. – Sasha Chedygov Jan 13 '10 at 23:17
  • There has been ways for encrypting JavaScript (see my answer below) so the term is perfectly correct. – Andris Jan 13 '10 at 23:25
  • @Andris: Yeah but it's not realistic at all. I would say the OP is definitely not looking for encryption. – Sasha Chedygov Jan 13 '10 at 23:33
  • 8
    Not only is this silly, and impossible, you probably don't even want or need to do it. What exactly do you hope to achieve by making your source code unreadable? What are you trying to protect, and who are you trying to protect it from? Chances are, it's an imagined, not a real threat. – Breton Jan 13 '10 at 23:43
  • as pointed out in the selected answer correct term / approach is obfuscation. To understand the subject better you may visit https://obfuscator.io – Gautam Jul 11 '21 at 06:41

15 Answers15

25

The Javascript code is executed in the browser, i.e. on the client side, which means it must be available not-encrypted on the client side.

The "best" you can do is probably to minify it, which will make it harder to understand it -- and a bit of obfuscation might do too -- even if someone really motivated will still be able to read it.

See for instance the YUI Compressor, which can both minify and obfuscate JS code.

Pascal MARTIN
  • 395,085
  • 80
  • 655
  • 663
  • 1
    Part of the value of minification, though, is that even if someone really dedicated can see the code flow, they still can't figure out just what you mean by variable "a" or "b". – Matchu Jan 14 '10 at 00:13
  • 4
    But a masochist will be able to analyze the code and understand it. – ChaosPandion Jan 14 '10 at 00:20
  • There are online code formatters which can "unminify" the code, so minification does not protect the code in any way... – Šime Vidas Oct 01 '10 at 12:04
  • 3
    @Šime Vidas - all they can do is improve the formatting. They can't figure out what a variable called `a` represents and name it usefully - unless computers have got sentient whilst I was napping. – Dominic Rodger Oct 01 '10 at 12:07
  • @Dominic - I was refering to the quote "to minify it, which will make it harder to understand it". Minifying does not make the code harder to understand. – Šime Vidas Oct 01 '10 at 12:41
  • this answer is obsolete as of 2021 .. link to YUI compressor is broken. please look below for more options. – Gautam Jul 11 '21 at 06:40
12

If you truly want to encrypt it so that no one else can decrypt it, you could use one of any number of encryptions. For instance, to do it manually, you could use TrueCrypt; or to do it programatically, use the encryption libraries available in most languages.

If what you are really asking, though, is how to obfuscate the code so that no one can reverse-engineer it, the answer is: you can't, not in Javascript or any other language. The best you can do is make it more difficult on the reverse-engineers by making it hard to read; for that, there are any number of tools:

BlueRaja - Danny Pflughoeft
  • 84,206
  • 33
  • 197
  • 283
7

There is no way to do that. You can obscure it and have some domain checking code in it. Or you could have it served with a server-side script that checks the referring domain.

Daniel A. White
  • 187,200
  • 47
  • 362
  • 445
  • Thanks Daniel. If I obscure it and have domain-checking code, would people be able to decrypt it and change the domain it checks? – James Skidmore Jan 13 '10 at 23:10
  • Yes they would... obscure basically means the use of weird variable / function / class names, and remove all line breaks so the entire javascript is on one line. – Ben Everard Jan 13 '10 at 23:16
  • 1
    Since it's run on the client side if they are able to decode it they can easily remove the domain checking. Some of the idea to obfuscate your code below will help, but it's mostly a futile effort because the code is interpreted/run in the browser. – GnomeCubed Jan 13 '10 at 23:19
  • They don't even need to remove domain checking; good old "view source" and copy/paste would do. – Sasha Chedygov Jan 13 '10 at 23:21
6

I think you're confusing encryption with compiled binary.

Not even commercial closed-source software such as Microsoft Office or Adobe Photoshop are encrypted for distribution. But they are compiled to native machine code, which makes them hard to reverse engineer.

JavaScript has no such thing as a compiled binary. But, as more and more browsers move to bytecode compilation to achieve faster performance, we may someday have a compiled JavaScript source format. Perhaps, analogous to Python's .py and .pyc files, maybe we'll have a .jsc or JavaScript Compiled file, that can be delivered to the browser in binary form, to run in its JavaScript virtual machine.

No such thing exists yet though. And even if it did, this is just a more intense obfuscation. Obfuscation is fine for preventing casual copying and sharing, but if you need really protect your intellectual property, move the logic server-side.

jpsimons
  • 27,382
  • 3
  • 35
  • 45
4

There is no way to do so because at the end of the day, the code still has to run, unencrypted, on the client machine, which means the routine to decrypt the code has to be sent alongside the encrypted code. You're handing them both the lock and the key, all they have to do is turn.

Your best best is to run it through an obfuscator, but even then, its not like somebody won't be able to just rewrite it themselves without the need to attempt to read your code anyway.

mynameiscoffey
  • 15,244
  • 5
  • 33
  • 45
4

What you want is theoretically and practically impossible. People will tell you here that it is not possible and you might think "Well, that's because nobody has tried hard enough". No. It's impossible in the same way that calculating the nth prime number in linear or constant time is impossible. It's impossible in the same way that the halting problem is impossible to solve. "What do you mean 2+2 doesn't equal five? You're not trying hard enough!"

Not only is it impossible though, but the motivations for wanting this sort of thing are normally pretty misguided. It's always a fundamental mistake to attempt to use technology to solve a problem that is fundamentally a legal problem. You want to protect your code from "pirates" or competitors, perhaps? It's not likely that you've written anything particularly worth stealing, but if you have, and you don't want people to steal it, then your only true recourse is the rule of law.

However, on a larger level, your problem is not likely going to be competitors or pirates stealing your code. Your problem is going to be business oriented: Gaining an audience through making a quality product, and the right price, and with sufficient marketing. You do that right, someone stealing your code doesn't matter. You do it right, and having the "authentic original" will appear to have real value. In fact, if you release your stuff open source, it can only really help you, because then you have an army of interested amateurs working for you for free, potentially. Piracy and reverse engineering is actually a godsend because it means people are interested enough in your product to want to improve it. The best thing is to do whatever you can to let that happen.

If your business really does depend on keeping some javascript secret, then you've basically made a mistake in your business plan at stage 1.

If your business is selling a javascript library (such things exist!), then you're no worse off than any other seller of software. The best thing to do is to market it towards honest businesses that have no problem with giving you money. The people that pirate your stuff had no intention of paying you anyway- and get the fundamental disadvantage that they don't get your technical support, or regular maintenance updates.

If this is not a business effort, then I really have no idea why you're even bothering. Proper credit?

Breton
  • 15,401
  • 3
  • 59
  • 76
3

While not actually encrypted, Yahoo's YUI Compressor will compress and obfuscate your JavaScript for normal use and provides better compression that JSMin.

jschmier
  • 15,458
  • 6
  • 54
  • 72
  • The only problem is that the code often doesn't work after that. I've tried :( – Steven Jan 13 '10 at 23:19
  • 1
    That's because you need to run your code through JSLINT first, and make it pass the JSLINT test. Code fails from a minify due to mistakes in your code that standard (forgiving) JS interpreters don't complain about. Mainly insufficient semicolons. – Breton Jan 13 '10 at 23:52
2

Microsoft used to provide Script Encoder to encode your JavaScript (and ASP and VBScript etc.) but the encoded script only worked in Internet Explorer so it was a big no-no (link)

Nowadays only obfuscation is an option. But you can break any obfuscation with tools like the Online JavaScript Beautifier so your out of luck. You can minimize and you can obfuscate but you truly can't hide what you are doing.

The best minimizer/obfuscator is probably Google Closure Compiler - it's very advanced and might turn your code into something very hardly understandable.

Andris
  • 27,649
  • 4
  • 34
  • 38
1

What you're looking for is obfuscation, not encryption. There are tools such as JSMin and the YUI Compressor that will make your code very unreadable, to the point where no one would want to try to make sense of it. However, there is no way to make it so that someone can't copy and paste it onto their own website and run it there. I wouldn't worry about it, honestly, because you'd be wasting your time trying to protect something that can't be protected. Try putting all your "important" logic on the server-side, if possible, because that's the only foolproof way to do it. If the browser can access it, so can anyone else.

Sasha Chedygov
  • 127,549
  • 26
  • 102
  • 115
1

use this tool: Javascript Obfuscator https://javascriptobfuscator.com/Javascript-Obfuscator.aspx

Vy Do
  • 46,709
  • 59
  • 215
  • 313
0

I don't think you want encryption, unless you're going to write a browser extension that can decrypt the javascript.

I thing GWT, or even jsmin can sufficiently compress / obfuscate your javascript for normal use.

If you want to tie some client side code to your site, you may want to consider some sort of a random handshake that depends on a server-side method to 'validate' the javascript. I don't even know if that's feasible though.

John Weldon
  • 39,849
  • 11
  • 94
  • 127
0

This is exactly DRM: you're giving the user a lock, and also the key to it, and expecting to be able to say what they can do with it.

It's theoretically impossible: if their computer can execute the code, it has to be unencrypted there.

It's practically impossible, too: look at everybody watching DVDs on Linux boxes to see how successful you can be.

Ken
  • 1,066
  • 1
  • 10
  • 17
0

Most established Javascript obfuscator as of 2021 here and is available through npm.

To many who claim javascript obfuscation is not needed / shouldn't be done or is not a good practice haven't really understood the market dynamic of the subject reflected by the number of stars on this repo.

and obfuscator.io is a good UI to use it with ease

To many who claim javascript obfuscation is not needed / shouldn't be done or is not a good practice haven't really understood the market dynamic of the subject reflected by the number of stars on this repo.

Gautam
  • 1,030
  • 13
  • 37
0

The only option is to run the logic server side. If you are using django, you can use middleware, or even use the views.py file to run the logic. The client will only recieve the HTML. As people pointed out, obfuscation has very less effect on the readability of code, as determined people will read it out.

Man No Name
  • 9
  • 6
0

You should look for a JavaScript protection technology that provides obfuscation along with environment checks that allow you to lock the code to certain domains. Then you can also add additional runtime protection that makes it harder for someone to reverse-engineer the code and try to lift out these protections.

Check the guidelines from OWASP about reverse engineering and obfuscation. It's always better to rely on these peer-reviewed guidelines to avoid any misconceptions around obfuscation and encryption.

Ashley Green
  • 31
  • 2