DEV Community

Discussion on: Protecting Your React.js Source Code with Jscrambler

Collapse
 
antogarand profile image
Antony Garand

Note that this doesn't make the code secret, or impossible to reverse-engineer, it only makes these things harder.

What is also does is:

  • Increase your bundle size
  • Make it harder to find bugs, and possibly create new bugs which aren't in your dev environment
  • Adds an extra external dependency which modifies your whole code before you ship it!

This last point is particularly scary, as if the company feels like it, or if they're bought later on and their new buyer feels like it, they can inject their own analytics code, cryptominer or even malware on your website, and you would never know about it.

You should never rely on the front-end for your security, therefore you should definitely considers the cons before implementing this.

Collapse
 
j_scrambler profile image
Jscrambler • Edited

You do raise some pertinent points, so let me clear our stance on those:

First, it's true that this doesn't encrypt your code (you can't encrypt JavaScript). The objective of obfuscation is to greatly increase the cost of reverse-engineering attempts, which is useful when you want to ensure that your proprietary code is not on plain sight nor easily retrievable. While this tutorial focuses on obfuscation, Jscrambler is not an obfuscation tool; it provides a total of 3 JavaScript protection layers (including code locks and self-defending).

As for the other concerns you raised:

  • Obfuscation does increase code size, but Jscrambler enables you to apply obfuscation only on the most sensitive parts of the code. With this fine-tuning, the size increase and performance impacts are marginal.
  • This may be true for free obfuscation tools but Jscrambler provides Source Maps to enable easily debugging protected code.
  • Code dependencies can and should be considered with caution security-wise, so that's a great point. As an industry-recognized security company that has the trust of companies from the Fortune 500, our products meet the highest security standards, so we'll never inject malware or any malicious code.

We absolutely agree that you shouldn't rely on front-end security alone. But you shouldn't also dismiss it when you have proprietary code which can be stolen or tampered with.