This week, I was tasked with enhancing the security of our Create React App by employing obfuscation and minification techniques.
Obfuscation, as ...
Some comments have been hidden by the post's author - find out more
For further actions, you may consider blocking this person and/or reporting abuse
This is really interesting but it's a whole lot of effort when obfuscation is the lowest form of security. Any decent hacker who wants to delve into your source code would not be put off by minified code - a mild inconvenience at best.
It's much safer and easier to just ensure your UI code doesn't contain sensitive information in the first place.
There are actually two points in this post, one about the obfuscation/minification. I agree that this part is a minor inconvenience.
The second part (splitting the build code into chunks) i find the most important/interesting in the context of a single page application, since, before this implementation, it was possible to access the source code of authenticated routes from the main.*.js
Code splitting doesn't improve security and the source code is still available once you load it or find the chunk id
another BANGER
Is there a way to not have this script (yarn obfuscate) build when on the development env? Like locally or stage? Non-production.
Hey aaron!
Yeah you can totally do that, locally when using a simple yarn run this script wont run, since build it not requried for local development/testing.
If you have a deployed staging environment, I would recommend obfuscating it, since it is public on the web, but if you would still like to skip obfuscating, you could just create two different build scripts on your
package.json. One that runs yarn obfuscate and done that doesn'tHope this helps!
Thanks for the reply. I actually end up adding two scripts as you stated. One
buildand anotherdev-build.