DEV Community

Medam Mahesh
Medam Mahesh

Posted on

How to protect your JS ?

Hi,

I am looking for a way to secure my JS code.

Edit: I do not want my code to be run by others in their local by cloning my API behaviour. Secondly, if Obfuscation is OK, is there any best practices other than going to an online obfuscator

I know there is Obfuscating JS. But, I do not know how safe it is.

It'd be great if someone can answer these for me.

  • Is Obfuscation safe ?
  • How to properly Obfuscate your JS ?
  • Are there any techniques to secure JS apart from Obfuscate ?

Top comments (10)

Collapse
 
dorshinar profile image
Dor Shinar

Truth is, there isn't really a way to protect your front end code. In the end it is executed on your client's computer. The question should be - why would you want that? If you have specific IP you'd like to protect, why not move it to the server side?

Collapse
 
mxldevs profile image
MxL Devs • Edited

As someone that does a lot of data scraping, I can probably say that most of the techniques you come up with will probably be useless. 99% of the time I don't need to look at your code I just need to look at the requests and responses and I can build my own client.

The other 1% of the time, I will just hit F12 to open inspector, look at the stacktrace of your XHR request, put breakpoints here and there, fire up the request again and I will know how to build your request.

If you minify the code, I will just prettify it, again built into the inspector.
If you use webasm, that might slow me down a bit because most of the sites I've looked at don't do that and therefore I don't have experience with it, but I'm sure I can figure it out eventually. Maybe in the future, it will become more popular.

Basically if you provide an API, it can be used by unauthorized users.
I would recommend focusing on making it harder for people who are using your API's to be able to accomplish what they want. Focus on social and legal avenues to protect yourself. If someone's stealing your data for profit, hit them with a lawsuit if that's an option.

However, if you're willing to invest time into it, compiling your app into native code has prevented me from reverse engineering the API requests. I just don't know how, though I've recently been doing some research about it. It's not going to stop someone that does know how, but it makes it MUCH harder for someone random like me to come across your site and just hit F12 and walk away with all your endpoints.

Collapse
 
dwd profile image
Dave Cridland

You put #security on this, so therefore I must now ask The Question:

What is your threat model?

In other words, who are you trying to protect against, and what are they trying to do? Unless you can answer that question accurately, then you're really not going to be able to find answers to the other questions you ask.

Collapse
 
memahesh profile image
Medam Mahesh

Hi @dwd ,

I edited the post a little. Let me know if it makes sense now.

Collapse
 
moopet profile image
Ben Sinclair

I think you have to ask yourself what you're trying to achieve. Why do you want people to not be able to read your source code?

Obfuscation is "safe" in that it very rarely screws up, changes the meaning of some clever bit of code, and causes your app to crash. It's "safe" in that you don't run it in development environments where you can still step through it with a debugger even if the problem is only appearing in production.

Collapse
 
memahesh profile image
Medam Mahesh

Hi @moopet ,
I edited the post a little. Let me know if it makes sense now.

Collapse
 
wangliwen profile image
WangLiwen

Obfuscation is the only way to protect javascript code.

Collapse
 
memahesh profile image
Medam Mahesh

I had better set my priorities straight and focus on execution for now.
Thanks for the advice @mxldevs and @eruizdechavez .

Collapse
 
pentacular profile image
pentacular

If you wish to protect your JS, do not give it to people ...

Collapse
 
memahesh profile image
Medam Mahesh

I think you meant do not put it on Frontend at all. :P

I get your point though.

Thanks