7

So for a long time now I have been under the assumption that, while it does performance gains, one of the primary reasons we minify javascript/css is to give a modicum of obfuscation to it so that it is harder to reverse engineer.

However a friend of mine just showed me how it is not only possible; but extremely simple to just reverse minification on minified javascript and css.

So my question is - other than performance gains, what is the point? Is there any other actual way to protect javascript from being simply stolen right from your site?

Ciel
  • 4,290
  • 8
  • 51
  • 110
  • 1
    As far as i know it's just performance since the file size is smaller. – Huangism Mar 26 '14 at 18:20
  • 2
    "What is the point of minification?" is a very different question from "Any way to protect JS from being simply stolen?" -- which one do you want to ask? –  Mar 26 '14 at 18:21
  • 7
    There is none. Minification is exclusively for performance reasons over network activity. – Niet the Dark Absol Mar 26 '14 at 18:21
  • 1
    Less bandwidth-usage is a good enough point for most people. Reversing minification will be possible as long as you haven't obfuscated variable names, then you might still get some code out but it will be a pain to follow it. – Karl-Johan Sjögren Mar 26 '14 at 18:21
  • 1
    The only way to stop people from stealing JS from your site is to not use any. – Andy Mar 26 '14 at 18:24
  • The commenters above oversimplify. Code obfuscation is a common practice to make cracking code more difficult for malicious actors. JavaScript minification is an example of this. – – Elliott Beach Dec 15 '18 at 17:41

2 Answers2

6

Javascript minification is done primarily to increase performance. Upon minification, it's not uncommon to see >25% reduction in script size. On top of this, some minify-ers/compilers will obfuscate your code a little as well, renaming functions and variables to less obvious names.

As you've pointed out, it can always been unminified or pretty-printed, but since Javascript is a non-compiled, client-side language there isn't a whole lot you can do to protect your javascript.

See this link on javascript obfuscation.

If you have proprietary code or code you really don't want users seeing, you'll have to keep it server side. Consider moving it to a server side language such as PHP, Python, C, etc and expose the functions via web services.

Community
  • 1
  • 1
Grant Amos
  • 2,256
  • 17
  • 11
2

There is no way to prevent javascript from being stolen directly off your site. It is "stolen" the instant someone visits your site and loads the HTML page or file containing the javascript code. Minification will do nothing more from a security perspective than obfuscate your code from a casual browser. It's primary purpose is for performance.

Rule of thumb: If you don't want the user to have access to it, don't send it to the client/browser.

ElGavilan
  • 6,610
  • 16
  • 27
  • 36