DEV Community

WangLiwen
WangLiwen

Posted on

Do we really need to obfuscate JS code?

Do we really need to obfuscate JS code?

Regarding whether or not to obfuscate and encrypt web JS code, some argue, "There's no security in the frontend, obfuscation is useless, and even if obfuscated, others can eventually reverse engineer it with time and effort, so JS code doesn't need protection." Is this viewpoint correct?

Theoretically speaking, this notion appears to be somewhat valid: obfuscated and encrypted JS code, given enough time and dedication, can indeed be analyzed to a considerable extent. Similar to how an exe file can be disassembled and its logic gradually analyzed using tools like IDA. However, the crucial difference lies in the "time cost" and the required technical expertise.

For instance, a JS source code feature might take merely three minutes to comprehend if left in plaintext, but could take hours, days, months, or even longer if obfuscated and encrypted. This significantly discourages many individuals with average technical skills, especially when the time invested in reverse engineering exceeds the time it would take to develop the feature from scratch.

Moreover, capable developers might not even consider reverse-engineering or stealing others' source code. Such activities could even be illegal (especially for commercial code), which intelligent individuals would avoid.

Hence, obfuscating and encrypting JS code not only enhances security but also demonstrates a heightened sense of security awareness, which is undoubtedly preferable to publishing code transparently.

Based on the above, personally, I believe obfuscating and encrypting JS code before publication is an excellent choice. I find it puzzling why some would oppose this practice.

Of course, if the code is entirely unimportant or inconsequential, the effort of obfuscation and encryption might not be necessary, given that it does take a few minutes to perform. (Note: Open-source products also don't require this...)

Additionally, some may wonder if obfuscated JS code can still function correctly and whether it might break. These concerns are largely unfounded. JS obfuscation tools are mature and reliable, with popular offerings like JShaman, JScrambler, JsJiaMi.online, and JS-Obfuscator having been around for years, providing stable and trustworthy services.

Image description

In conclusion, our company has a clear policy that all JS code must be obfuscated and encrypted before publication. This is a matter of security awareness and prevention. Releasing source code unchecked is essentially inviting others to freely copy and use it.

Top comments (0)