6

Possible Duplicate:
How can I obfuscate JavaScript?

I want to "protect" my Javascript code. Are there any good, recommended ways which are very difficult to hack?

I tested some encoder on the Web and sometimes my Javascript code doesn't work after encoding. Is this normal (cot the encoder is very bad)?... or is my code too bad/buggy?

Community
  • 1
  • 1
Peter
  • 11,413
  • 31
  • 100
  • 152
  • 4
    I swear this question gets asked every single day. "Oh no, someone will steal my code!" – Marko Oct 11 '10 at 07:18

4 Answers4

8

You can't prevent anyone from looking at your javascript code. Its basically the same as html in that way. You can make it very difficult to decipher, aka obfuscation, but you really gain nothing from this.

If you have application critical code that for whatever reason you feel is mission critical, design your web app in such a way that the "protected" code is run on the server. Communicate to the front-end (the browsers) using xhr requests that are only passing state data back and forth.

Geuis
  • 41,122
  • 56
  • 157
  • 219
3

This is not possible, as the browser needs to understand your javascript when it arrives, hence a human can understand it too.

To make our web app more efficient we decided to compress(YUI for JS and CSS) and put all the main resources in the HTML page inline(HTML, CSS and JS) a shell script does that automatically during the deployment.

As an unexpected result, if you view the source of our app, you get a pretty unreadable ~250kb string.
This won't stop the guy that really want to get your code, but it will discourage many.

Mic
  • 24,812
  • 9
  • 57
  • 70
0

You can compress your javascript. Yahoo provides online tool to compress your file. It also supports variable replacement i.e. to replace your logical function name, variable name by a, b, c etc. to protect your client side business logic.

http://refresh-sf.com/yui/

Chinmayee G
  • 7,947
  • 2
  • 31
  • 41
  • 2
    This protects nothing. If your JavaScript is going to work on a web page its source must be made visible pure and simple. Four answers to this question and the only wrong one gets picked... sigh... – ubiquibacon Oct 11 '10 at 07:31
0

You cannot "protect" your JavaScript because it is client side, the best you can do is to verify any user input server side to make sure users have not injected any malicious code or attempted any form of XSS (Cross Site Scripting). It is very important to verify server side, especially since a person could inject code into a poorly made site with nothing but FireBug. Basically you need to make sure you never write a string back that the user has entered until that string has been encoded. There is more to security than encoding user strings, but that fixes many security holes by itself.

ubiquibacon
  • 10,451
  • 28
  • 109
  • 179
  • 1
    By "protect" I think he means make it difficult to steal the code. (edit) Oh no, I see now the word 'hack'. Sorry, then your answer is correct. – Herman Schaaf Oct 11 '10 at 07:19