DEV Community

Obfuscating your create react app and routes

Petra Grunheidt on January 17, 2024

This week, I was tasked with enhancing the security of our Create React App by employing obfuscation and minification techniques. Obfuscation, as ...
Collapse
 
jackmellis profile image
Info Comment hidden by post author - thread only accessible via permalink
Jack

This is really interesting but it's a whole lot of effort when obfuscation is the lowest form of security. Any decent hacker who wants to delve into your source code would not be put off by minified code - a mild inconvenience at best.

It's much safer and easier to just ensure your UI code doesn't contain sensitive information in the first place.

Collapse
 
petragrunheidt profile image
Petra Grunheidt • Edited

There are actually two points in this post, one about the obfuscation/minification. I agree that this part is a minor inconvenience.

The second part (splitting the build code into chunks) i find the most important/interesting in the context of a single page application, since, before this implementation, it was possible to access the source code of authenticated routes from the main.*.js

Collapse
 
j4k0xb profile image
j4k0xb • Edited

Code splitting doesn't improve security and the source code is still available once you load it or find the chunk id

Collapse
 
garoazinha profile image
Mariana Souza

another BANGER

Collapse
 
aaronucsd77 profile image
aaronucsd • Edited

Is there a way to not have this script (yarn obfuscate) build when on the development env? Like locally or stage? Non-production.

Collapse
 
petragrunheidt profile image
Petra Grunheidt • Edited

Hey aaron!

Yeah you can totally do that, locally when using a simple yarn run this script wont run, since build it not requried for local development/testing.
If you have a deployed staging environment, I would recommend obfuscating it, since it is public on the web, but if you would still like to skip obfuscating, you could just create two different build scripts on your package.json. One that runs yarn obfuscate and done that doesn't

Hope this helps!

Collapse
 
aaronucsd77 profile image
aaronucsd

Thanks for the reply. I actually end up adding two scripts as you stated. One build and another dev-build.

Some comments have been hidden by the post's author - find out more