How can I obfuscate JavaScript?

Obfuscation: Try YUI Compressor. It's a very popular tool, built, enhanced and maintained by the Yahoo UI team. Private String Data: Keeping string values private is a different concern, and obfuscation won't really be of much benefit.

Of course, by packaging up your source into a garbled, minified mess, you have a light version of security through obscurity. Most of the time, it's your user who is viewing the source, and the string values on the client are intended for their use, so that sort of private string value isn't often necessary. If you really had a value that you never wanted a user to see, you would have a couple of options.

First, you could do some kind of encryption, which is decrypted at page load. That would probably be one of the most secure options, but also a lot of work which may be unnecessary. You could probably base64 encode some string values, and that would be easier.. but someone who really wanted those string values could easily decode them.

Encryption is the only way to truly prevent anyone from accessing your data, and most people find that to be more security than they need. Sidenote: Obfuscation in Javascript has been known to cause some bugs.. The obfuscators are getting a little better about it, but many outfits decide that they see enough benefit from minifying and gzipping, and the added savings of obfuscation isn't always worth the trouble. If you're trying to protect your source, maybe you'll decide that it's worth your while, just to make your code harder to read.

JSMin is a good alternative.

7 I want to add that doing a base64 encode will be of no benefit to security, since it is a trivially reversable procedure. Even encrypting it won't help if it's decrypted client-side. The only way to ensure security of a string is to have the client ONLY see the encrypted string, and it is passed to – Claudiu Oct 11 '08 at 21:13 3 the server for further processing.

– Claudiu Oct 11 '08 at 21:14 5 FYI, online YUI compressor may be found here: refresh-sf. Com/yui – mtness Jan 19 '10 at 14:45 Encrypting the string values will be only of marginally more benefit than base64 encoding them, if they have to be decrypted by the browser to use them. The reason is that you'll have to give the browser the encryption key as well, and anything the browser can do the user can too.

– Ben yesterday.

I'm surprised no one has mentioned Google's Closure Compiler. It doesn't just minify/compress, it analyzes to find and remove unused code, and rewrites for maximum minification. It can also do type checking and will warn about syntax errors.

JQuery recently switched from YUI Compresser to Closure Compiler, and saw a "solid improvement.

11 yes, but recently they left Closure compiler and are using UglifyJS now. The JQuery code was buggy after compressing with closure compiler – Chielus May 24 '11 at 7:32.

Obfuscation can never really work. For anyone who really wants to get at your code, it's just a speed bump. Worse, it keeps your users from fixing bugs (and shipping them back to you) and makes it harder for you to diagnose problems in the field.

Its a waste of your time and money. Write a license and get a lawyer to go after violators. The only way you can really protect your code is to not ship it.

Move the important code server-side and have your public Javascript code do Ajax calls to it. See my full answer about obfuscators here.

1 +1 on the Lawyer, but that might not work in other countries/jurisdictions. – jmort253 Feb 16 '11 at 23:07 1 Lawyers probably create more costs/issues than the lost code, think very carefully and arrange lots of money to engage lawyers! – andora Mar 10 '11 at 13:14 -1: I believe that finding a lawyer that understand JavaScript would be hard... Not to the mention the fees and the amount of time needed to find "violators".

Can someone really be violating a license that is buried in the HTML/JavaScript files if he never signed anything? +1 for the AJAX calls. – Alerty Oct 30 '11 at 17:14 @Alerty 1) Licenses fundamentally are about granting use of copyrighted material.

You have little right to use it without the license. You don't have to sign it to get the rights. A license is different from a contract.2a) Since the question is about people copying and using the HTML/Javascript without permission, the license is not "buried", it's right there on the thing being taken.2b) You have little right to use someone else's copyrighted material without a license.

3) The lawyer does not need to understand Javascript, just intellectual property law. – Schwern Oct 31 '11 at 19:06 @Schwern: I would logically assume that there had to be some kind of license software agreement in order to validate the conditions of the usage of the copyrighted material. There is no way to see those conditions without loading the page that contains the license within the JavaScript file.

So for example, if the license says that the end user must give $100 for each use there would be no way for the end user to accept before using the copyrighted material. In other words, it would not be fair and could be seen has fraudulent. – Alerty Nov 1 '11 at 4:19.

There are a number of JavaScript obfuscation tools that are freely available; however, I think it's important to note that it is difficult to obfuscate JavaScript to the point where it cannot be reverse-engineered. To that end, there are several options that I've used to some degree overtime: YUI Compressor. Yahoo!'s JavaScript compressor does a good job of condensing the code that will improve its load time.

There is a small level of obfuscation that works relatively well. Essentially, Compressor will change function names, remove white space, and modify local variables. This is what I use most often.

This is an open-source Java-based tool. JSMin is a tool written by Douglas Crockford that seeks to minify your JavaScript source.In Crockford's own words, "JSMin does not obfuscate, but it does uglify. " It's primary goal is to minify the size of your source for faster loading in browsers.

Free JavaScript Obfuscator. This is a web-based tool that attempts to obfuscate your code by actually encoding it. I think that the trade-offs of its form of encoding (or obfuscation) could come at the cost of filesize; however, that's a matter of personal preference.

14 Since the Javascript code must run on the client's machine it is not just difficult to obfuscate to the point where code can not be reversed-engineered but impossible. – Schwern Oct 25 '08 at 23:27.

You can obfuscate the javascript source all you want, but it will always be reverse-engineerable just by virtue of requiring all the source code to actually run on the client machine... the best option I can think of is having all your processing done with server-side javascript, and all the client code javascript does is send requests for processing to the server itself. Otherwise, anyone will always be able to keep track of all operations that the code is doing. Someone mentioned base64 to keep strings safe.

This is a terrible idea. Base64 is immediately recognizable by the types of people who would want to reverse engineer your code. The first thing they'll do is unencode it and see what it is.

1 @Claudiu Please explain what you mean by server-side javascript. I didn't understand. – Vivek Kodira Oct 12 '08 at 4:10 3 Wherever I go, the most common answer to "how can I obfuscate my Javascript?" is "you shouldn't worry about that because someone could un-obfuscate it.

" This is not really an answer. – Travis Wilson Jul 31 '09 at 16:00 2 @Vivek: A bit late, but what I really meant is "server-side code". It is possible to run javascript not in a browser, just on a server, but I don't know how common that is.

– Claudiu Oct 6 '10 at 22:00 4 @Travis: I didn't say "you shouldn't worry about it. " I just said that if you want a closed-source program, you're not going to want to write it in client-side javascript, because any obfuscation you do will not prevent it from being (pretty easily) reverse-engineered. – Claudiu Oct 6 '10 at 22:01.

The problem with interpreted languages, is that you send the source to get them working (unless you have a compiler to bytecode, but then again, it is quite trivial to decompile). So, if you don't want to sacrifice performance, you can only act on variable and function names, eg. Replacing them with a, b... aa, ab... or a101, a102, etc.And, of course, remove as much space/newlines as you can (that's what so called JS compressors do). Obfuscating strings will have a performance hit, if you have to encrypt them and decrypt them in real time.

Plus a JS debugger can show the final values...

Contrary to most of the other answers I suggest against YUI Compressor; you should use Google Closure. Not much because it compresses more, but mostly because it will catch javascript errors such as a = 1,2,3,; which make IE go haywire.

A non-open-source Javascript-based application is fairly silly. Javascript is a client-side interpreted language.. Obfuscation isn't much protection.. JS obfuscation is usually done to reduce the size of the script, rather than "protect" it. If you are in a situation where you don't want your code to be public, Javascript isn't the right language.. There are plenty of tools around, but most have the word "compressor" (or "minifier") in its name for a reason..

Try JScrambler. I gave it a spin recently and was impressed by it. It provides a set of templates for obfuscation with predefined settings for those who don't care much about the details and just want to get it done quickly.

You can also create custom obfuscation by choosing whatever transformations/techniques you want.

I can recommend JavaScript Utility by Patrick J. O'Neil. It can obfuscate/compact and compress and it seems to be pretty good at these.

That said, I never tried integrating it in a build script of any kind. As for obfuscating vs. minifying - I am not a big fan of the former. It makes debugging impossible (Error at line 1... "wait, there is only one line") and they always take time to unpack.

But if you need to... well.

The final call to _1234(_5678); can easily be replaced with alert(_5678);. I acknowledge that javascript obfuscation is weak, but this technique is particularly ineffective. – Brian Nov 8 '11 at 16:23 Right.

But we call that 'obfuscation' and it can not be solved by everyone. It is always possible to decode or deobfuscate javascript codes, our goal is only making it more difficult. However, now it is improved.

– Huseyin Dec 10 '11 at 17:37 It's still just a one-line call to alert(_5678), though _5678 is hidden in a different place. Still, this is substantially weaker than using an obfuscation tool, which will irreversibly hide things like comments, variable names, and spacing. – Brian Dec 11 '11 at 0:23 I think my approach is different from others.

You solve the previous version of it, because you know javascript. New version is harder to solve. According to me, a person who knows javascript enough to decode my codes, can also understand other codes encoded or obfuscated with different approaches... Thanks for the comments.

– Huseyin Dec 13 '11 at 6:58.

This one minifies but doesn't obfuscate. If you don't want to use command line Java you can paste your javascript into a webform.

I'm under the impression that some enterprises (e.g. : JackBe) put encrypted JavaScript code inside *. Gif files, rather than JS files, as an additional measure of obfuscation.

Obfuscation is not protection nor compression. Compression is a way to obfuscation.

I would suggest first minify with something like YUI Compressor, and then convert all string and numbers to HEX Values using something like javascriptobfuscator.com/ With this, the code would be rendered near impossible to understand and I think at this Stage it will take more time for a Hacker to re-enact your code than actually if he re-wrote from scratch. Rewriting and Cloning is what you cant actually stop. After all we are free-people!

Not the perfect way, but if you already use flash: blog.sebastian-martens.de/2011/06/obfusc....

As a JavaScript/HTML/CSS obfuscator/compressor you can also try Patu Digua.

If you use a JavaScript library, consider Dojo Toolkit which is compatible (after minor modifications) with the Closure Compiler's Advanced mode compilation. dojo-toolkit.33424.n3.nabble.com/file/n2... Code compiled with Closure Advanced mode is almost impossible to reverse-engineer, even passing through a beautifier, as the entire code base (includinhg the library) is obfuscated. It is also 25% small on average.

JavaScript code that is merely minified (YUI Compressor, Uglify etc. ) is easy to reverse-engineer after passing through a beautifier.

You could try this as an alternative as well. tools.2vi.nl.

Dean Edward's Packer is an excellent obfuscator, though it primarily obfuscates the code, not any string elements you may have within your code. See: jscompress.com/ and select Packer (Dean Edwards) from the dropdown.

I've used this in the past, and it does a good job. It's not free, but you should definitely take a look. stunnix.com/prod/jo.

I am using Closure-Compiler utility for the java-script obfuscation. It minifies the code and has more options for obfuscation. This utility is available at Google code at below URL: code.google.com/closure/compiler/ But now a days I am hearing much of UglifyJS.

You can find various comparison between Closure Compiler and UglifyJS in which Uglify seems to be a winner. badassjs.com/post/971960912/uglifyjs-a-f.... Soon I would give chance to UglifyJS.

Thanks Shailendra.

Try this tool Javascript Obfuscator I used it on my HTML5 game not only it reduced it size from 950KB to 150 but also made the source code unreadable closure compilers and minifiers are reversable I personally don't know how to reverse this obfuscation.

I've been using Jasob for years and it is hands down the best obfuscator out there. It has an advanced UI but is still intuitive and easy to use. It will also handle HTML and CSS files.

The best way to use it is to prefix all of your private variables with something like an underscore, then use the sort feature to group them all together and check them off as targets for obfuscation. Users can still view your source, but it's much more difficult to decipher when your private variables are converted from something like _sUserPreferredNickName to a. The engine will automatically tally up the number of targeted variables and prioritize them to get the maximum compression.

I don't work for Jasob and I get nothing out of promoting them, just offering some friendly advice. The downside is that it's not free and is a little pricey, but still worth it when stacked against alternatives - the 'free' options don't even come close.

I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.

Related Questions