17

Recently I was asked to obfuscate my javascript in order to hide a client's api key. I'm using grunt.

Will grunt-contrib-uglify obfuscate my js?

What's the difference between uglify and obfuscate? Is one much more safe than the other?

Connor Leech
  • 18,052
  • 30
  • 105
  • 150
  • 2
    I think you'll find both approaches leave the API key exposed, albeit slightly more difficult to discern. – David Thomas Feb 27 '14 at 13:52
  • 1
    Uglify minifies, but it does not closure compile and replace variable names, nor does it obfuscate. Also, obfuscation does not improve security. – MildlySerious Feb 27 '14 at 14:09
  • 2
    I would say that in general obfuscation does improve security at least a little, in the sense that fewer people have the skills to attack the software, or that people would need to spend more time attacking the software. I would agree that there are some particular cases, such as searching for the presence of a certain string, where obfuscation may make no difference. And I wouldn't claim that obfuscation can't be reversed with effort. But if, for example, your aim is to make it harder for people to understand or modify an algorithm, then I think obfuscation does "improve security". – John Dec 10 '15 at 06:42

1 Answers1

15

Uglify is a code minification tool. It parses the JS, building a token tree out of the code, which can then be used to either compress/minify the code or 'beautify' it, making it readable for debugging, etc. Uglify will NOT obfuscate your code.

On the other hand, using an obfuscation tool such as Stephen Mathieson's Obfuscator can concatenate multiple project files into one, bundling requires and packaging. In this case it also Uglifies the entire job at the end, resulting in an obfuscated, minified JS file. It's not 100% secure, there are ways to de-obfuscate JS code, but it makes it much more difficult to decipher than flat text.

HOWEVER, I would recommend keeping a client's API key out of browser-side code whenever possible. Even if it is obfuscated, it can still be found

Isaac
  • 415
  • 8
  • 10
  • 3
    just want to point out that as far as I can tell Stephen Mathieson's Obfuscator actually uses UglifyJS as its method of obfuscating code. – antfx Sep 01 '15 at 09:29
  • @antfx Thanks for the heads up, I was under the assumption that there was more to it and that Uglify was just a layer as part of it – Isaac Sep 06 '15 at 18:57
  • 1
    I have been playing around js-obfuscator for the last few days, seems to do a good job of obfuscating rather than just ugliflying https://www.npmjs.com/package/js-obfuscator – antfx Sep 06 '15 at 20:42