DEV Community

Roco
Roco

Posted on

Your JavaScript source code is public. Here's what we do about it.

#security #webdev #javascript #programming

A reality check

Open your browser. Go to any website. Press F12. Click Sources.

Congratulations, you can now read their JavaScript.

Sure, it might be minified. But minified isn't protected. There are tools that un-minify code in seconds. Your variable names might be mangled, but the logic is right there.

For most websites, this doesn't matter. But if you're building:

  • License checks
  • Proprietary algorithms
  • Anti-cheat logic
  • Premium features

...having that code readable is a problem.

What obfuscation actually does

Let us be clear: obfuscation is not encryption. A determined attacker with enough time will figure it out. That's not the point.

The point is making the cost of reverse-engineering higher than the value of what you're protecting.

If it takes someone 40 hours to understand your license check, and your software costs $20, most people will just pay. Economics.

What we built

CLOAK. JavaScript protection that goes beyond basic minification.

npx @sekyuriti/cloak protect src/
Enter fullscreen mode Exit fullscreen mode

It does a few things:

Control flow flattening - Your nice, readable if/else statements become a state machine. Good luck following the logic.

String encryption - Strings like API endpoints and error messages get encrypted. They're decrypted at runtime.

Domain locking - Code only runs on specified domains. Someone copies your JS to their site? It doesn't execute.

Expiration dates - Time-limited code. Useful for trials or beta releases.

Dead code injection - Fake code paths that do nothing but confuse anyone reading it.

An honest assessment

Will this stop a skilled reverse engineer? No. Given enough time, anything can be cracked.

Will this stop 99% of casual copying? Yes.

Will this make the 1% spend significant time? Also yes.

That's the trade-off. You're not buying invincibility. You're buying friction.

Performance

The protected code is slower. How much depends on the protection level. Light protection is barely noticeable. Heavy protection can add 20-30% overhead.

We recommend protecting only sensitive files, not your entire codebase.

Try it 

npx @sekyuriti/cloak protect ./src/license-check.js --domain yourdomain.com
Enter fullscreen mode Exit fullscreen mode

Details at sekyuriti.build/modules/cloak

Top comments (0)