How can i obfuscate or make unreadable my JavaScript files?

Question

I have JavaScript scripts in my application containing JavaScript and jQuery functions. All user interaction with my application is dynamic and it\'s passing to the application

Answer 1

If someone really cares about your code he will take the workload of un-minifying (replacing random with useful variable/function names). Anything else such as "encrypting" or packing is just snake oil since it can be reverted extremely easy. So save yourself some work and rather spend it on making your application better.

So: The only thing you should do on a production system is minifying your JS code. This makes it smaller and thus faster to load - so it is an actually advantage. Besides that, it will make it less readable to people who are just curious for a quick look but don't want to spend time on it.

The facebook JS files for example are just minified by the way - most likely just for bandwidth/performance reasons.

---

The easiest way to minify your JavaScript is using Google's web service for it: http://closure-compiler.appspot.com/home
Note that it has an 1MB limit so if your JS is that huge, you might need to download the Java-based minifier to run it locally.

Answer 2

Everything ThiefMaster says is true. It's also worth noting that your apps should be designed with the assumption users can see and manipulate everything on the client. If you're worried about obfuscation because you think it will prevent users from seeing sensitive data or manipulating information such as prices, then you need to redesign your application so that secure logic resides on the server.

Answer 3

As I need to minify my javascript source code, I'm looking for a javascript program whose minify itself any javascript code.

Why a javascript minifier ? Because, i'm writing some randomized javascript code from the web server to the client.

I should use "node.js" on the web server to execute a javascript program which generates a javascript code and minifying it on the fly and send it to the client.

This javascript program is a : encryption and decryption program. The javascript code result for the client should contains a javascript function which decrypt each portion of a json or hexadecimal version of an encrypted data. The function executes some plus, minus and multiplications of integers. Sometimes, I can generate a condition (if,then and else) to compute two different operations. This function is used to decrypt two or more parameters inputs.

That's the randomized function : each time the client requests some private data, the web server generates two different javascript functions : one for encryption and one another for decryption. The decryption function is sent to the client. The encryption function is used by the web server to encrypt and send private data to the client. It's make a sense for obfuscation : each time the process is running, each time the sending function is totally different.

And, to convince the encryption/decryption is very secured, I add for the client, a tabular values conversion of two or more parameters ; but, the tabular values are generated, in fact, by a function written for the web server only and contains some numeric constants, which are NEVER send to the client. Thus, any one whose want to decrypt must have the constants value.

I'm explained that process because :

1. you are taken some things about obfuscation in javascript source code; but, obfuscation in javascript is not yet implemented by web server and browsers...maybe, it could happen...but, what kind of solutions is useful with the help of "SSL-ize" all transmission over the internet.

2. It's possible to crypt and decrypt with encryption/decryption functions which can be readable. And, without the cost of SSL certificates. Even, "a man in the middle" would decrypt the encrypted data ; for that, he just has to execute the javascript function. Ok..but imagine that the javascript decryption function is also encypted...then, the "man in the middle" has to execute the decryption function and then decrypt again the decrypted content which are javascript function to decrypt the encrypted data.

And, imagine if the web server asks a question to the client and the unique answer is handled by the client's result computation (whose not sent through Internet) ... it's impossible to "the man in the middle" to have the answer.

Check out my idea; i'm waiting for comments from any one.