loading...

How to protect your JS ?

memahesh profile image Medam Mahesh ・1 min read

Hi,

I am looking for a way to secure my JS code.

Edit: I do not want my code to be run by others in their local by cloning my API behaviour. Secondly, if Obfuscation is OK, is there any best practices other than going to an online obfuscator

I know there is Obfuscating JS. But, I do not know how safe it is.

It'd be great if someone can answer these for me.

  • Is Obfuscation safe ?
  • How to properly Obfuscate your JS ?
  • Are there any techniques to secure JS apart from Obfuscate ?

Discussion

markdown guide
 

Truth is, there isn't really a way to protect your front end code. In the end it is executed on your client's computer. The question should be - why would you want that? If you have specific IP you'd like to protect, why not move it to the server side?

 

As someone that does a lot of data scraping, I can probably say that most of the techniques you come up with will probably be useless. 99% of the time I don't need to look at your code I just need to look at the requests and responses and I can build my own client.

The other 1% of the time, I will just hit F12 to open inspector, look at the stacktrace of your XHR request, put breakpoints here and there, fire up the request again and I will know how to build your request.

If you minify the code, I will just prettify it, again built into the inspector.
If you use webasm, that might slow me down a bit because most of the sites I've looked at don't do that and therefore I don't have experience with it, but I'm sure I can figure it out eventually. Maybe in the future, it will become more popular.

Basically if you provide an API, it can be used by unauthorized users.
I would recommend focusing on making it harder for people who are using your API's to be able to accomplish what they want. Focus on social and legal avenues to protect yourself. If someone's stealing your data for profit, hit them with a lawsuit if that's an option.

However, if you're willing to invest time into it, compiling your app into native code has prevented me from reverse engineering the API requests. I just don't know how, though I've recently been doing some research about it. It's not going to stop someone that does know how, but it makes it MUCH harder for someone random like me to come across your site and just hit F12 and walk away with all your endpoints.

 

Most things out there can be replicated without even having to look at a line of code (as @mxldevs mentions); just look at how many Uber-like or Netflix-like services are there.

An idea is worth nothing, what counts is the actual execution, and sometimes, the timing. I would focus in making my execution worthy of my users time and resources rather than worrying if they are going to copy it, because someone will eventually do it.

 

I had better set my priorities straight and focus on execution for now.
Thanks for the advice @mxldevs and @eruizdechavez .

 

You put #security on this, so therefore I must now ask The Question:

What is your threat model?

In other words, who are you trying to protect against, and what are they trying to do? Unless you can answer that question accurately, then you're really not going to be able to find answers to the other questions you ask.

 

Hi @dwd ,

I edited the post a little. Let me know if it makes sense now.

 

I think you have to ask yourself what you're trying to achieve. Why do you want people to not be able to read your source code?

Obfuscation is "safe" in that it very rarely screws up, changes the meaning of some clever bit of code, and causes your app to crash. It's "safe" in that you don't run it in development environments where you can still step through it with a debugger even if the problem is only appearing in production.

 

Hi @moopet ,
I edited the post a little. Let me know if it makes sense now.

 

If you wish to protect your JS, do not give it to people ...

 

I think you meant do not put it on Frontend at all. :P

I get your point though.

Thanks