Is it possible to hide or scramble/obfuscate the javascript code of a webpage?

Question

I understand that client side code must be readable from the browser but I wonder (since there are too many things that I ignore) if there are ways to obfuscate to code to the end user and, if not what is the best practice to "pack" the javascript code.

Dup: http://stackoverflow.com/questions/599911/what-do-you-use-to-minimize-and-compress-javascript-libraries — Crescent Fresh, Apr 09 '09 at 16:27
Dup: http://stackoverflow.com/questions/702907/what-are-some-good-css-and-js-minimizers-for-production-code — Crescent Fresh, Apr 09 '09 at 16:27

score 9 · Accepted Answer · edited Sep 12 '19 at 06:27

9

It is good practice to minify your JS with a tool such as YUI Compressor. I would not obfuscate it unless you have a specific need to do this. There are plenty of online obfuscators such as this one

See this article: http://developer.yahoo.net/blog/archives/2007/07/high_performanc_8.html

edited Sep 12 '19 at 06:27

oo_dev

777
7
20

answered Apr 09 '09 at 14:51

Chris Ballance

33,810
26
104
151

1

Thanks @copa017 for fixing the link! – Chris Ballance Sep 12 '19 at 12:51

score 4 · Answer 2 · edited May 23 '17 at 12:32

4

Check this out.

Other than min'ing it, I don't think you can really hide js. It all goes the user's browser and there are plenty of ways of seeing it once its there.

edited May 23 '17 at 12:32

Community

1
1

answered Apr 09 '09 at 14:50

Brian

4,931
3
32
55

True, you can't *hide* it, but obfuscating and/or minifying it makes it significantly more difficult for humans to read. – Chris Ballance Apr 09 '09 at 14:53
Why would you want to hide javascript from the user? If you have some kind of business logic in it you have much bigger problems. – Greg Noe Apr 09 '09 at 14:55
http://malzilla.sf.net/ It's trivial to use a non-standard browser which spits the obfuscated JS code out in a non-obfuscated form. It's simply not possible to hide anything you send to the client. – ephemient Apr 09 '09 at 14:59
1

@Chris -- There are also "Beautifiers" available to counter that end. -- Try http://jsbeautifier.org/ – Jonathan Lonowski Apr 09 '09 at 15:00
I'm pretty lazy myself. If I want to find out how something works, I'll use firebug to check it out - if its min'ed I usually stop there. Google or SO will turn up an answer faster than trying to work out min'ed js. – Brian Apr 09 '09 at 15:06
@Brian, that's what I was going for, if you want to *discourage* reuse of your JS, you can obfuscate it. – Chris Ballance Apr 09 '09 at 15:08

Mystic · Answer 3 · 2009-04-09T14:59:51.017

2

See here for a Free Javascript Obfuscator.

Given that it is in fact possible, if the reason you intend to obfuscate is to protect intellectual property, you are probably trying to derive value from your work the wrong way. It's fairly easy to reverse the obfuscation, and you would probably be wasting time maintaining your code.

Focus more on what services you intend to provide to those who visit your site as a means to differentiate your site from competitors

edited Apr 09 '09 at 14:59

answered Apr 09 '09 at 14:52

Mystic

5,024
4
29
31

I wouldn't use this, some security apps would treat javascript that looks like this as a potential hack attempt and block it – Andrew Bullock Apr 09 '09 at 14:56
I never used it myself :) And I would never want to obfuscate my javascript either – Mystic Apr 09 '09 at 14:57

score 0 · Answer 4 · answered Aug 12 '12 at 09:57

It is possible to use following tools:

YUI Compressor - requires Java - very good compressor
Packer - creates the most confusing, and smallest code, but scripts don't run as fast as YUI - this can be used online though. Select 'Base62 encode' for maximum effect.
The Dojo Compressor I've never used this one, but it's on the top-list. It also requires Java.
JSMIN By Douglas Crockford, this one has a very simple algorythm, but it is still good. Meant to be used in combination with JSLint.

score 0 · Answer 5 · edited May 23 '17 at 10:29

0

There are tools that could be used to compress javascript code and render it difficult for the end user to understand.

edited May 23 '17 at 10:29

Community

1
1

answered Apr 09 '09 at 14:52

Darin Dimitrov

1,023,142
271
3,287
2,928

score 0 · Answer 6 · answered Apr 09 '09 at 14:53

0

Is there a reason why this won't do the trick for you?

http://www.javascriptobfuscator.com/

answered Apr 09 '09 at 14:53

Tim Cavanaugh

2,638
2
18
16

score 0 · Answer 7 · answered Apr 09 '09 at 16:08

0

Do not put any sensitive or personal information in javascript.

Spend your time on keeping your data on the server secure.

answered Apr 09 '09 at 16:08

kennebec

102,654
32
106
127

score 0 · Answer 8 · answered Apr 09 '09 at 16:22

Step 1: Don't.

You would have to do a lot to achieve any meaningful level of obfuscation. Obfuscating the names alone is not enough, since all of the standard functions will still be there (although they may be buried in a layer of shorter/obfuscated aliases), and deriving the purpose of a particular function is easy once the code is formatted nicely again. Anybody who really wants to know what your JS code does can, and will, no matter what you do to it before their browser gets a copy of it.

If you truly have valuable business processes in your JavaScript, then you're Doing It Wrong(tm).

score 0 · Answer 9 · answered Apr 10 '09 at 20:41

No obfuscation is going to keep your code truly secure and it might just give you the false illusion of security (cf. security by obscurity).

If you do need to keep some portion of your code secret, consider pulling the sensitive portions into a server side script and making (say) AJAX calls to the script. Especially with the advent of JSON, communicating with server-side scripts has never been easier.

Is it possible to hide or scramble/obfuscate the javascript code of a webpage?

9 Answers9

Linked

Related