Home/ Questions/Q 8884793
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-14T21:08:57+00:00

I know you can use a javascript obfuscator to make javascript source protected, but

  • 0

I know you can use a javascript obfuscator to make javascript source protected, but I need a better solution on top of this.

I’m investigating options to encrypt a javascript file to be placed on some websites. This javascript file is included on the page in a script tag like normal, i.e.:

<script src="http://secure.com/encryted.js"></script>

The idea is to somehow prevent users viewing the source of the javascript or at least make it much harder to do so…

I’m thinking of a way to only return the javascript by doing something like

<script src="http://secure.com/validate.php"></script>

That way I could on the host secure.com check for certain conditions and only return the javascript (encrypted) if those conditions are met.

Does anyone have an idea or done such a thing? Or knows of good way to prevent sourcecode of javascript to be exposed or make it very hard?

ETA seems a good way to encrypt it: http://www.enetplanet.com/enc/

My goal is to have people viewing the source /html not be able to "just view" the source

Any thoughts?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    No, TEA (http://www.enetplanet.com/enc/) is not the kind of tool you can use for such a task. It is just a little bit more than a proof-of-concept or than a toy. TEA (like any other encryption system) cannot be actually used to encrypt/protect a javascript file that you send to the customer’s browser.

    Consider this: the user must have a copy of the encryption program to decypher the javascript file coming from your server. In other cases, this would not be a great security hole in itself. Any encryption system rely on the secretness of a key, not on the secreteness of the encryption program/algorithm.

    Unfortunately, when talking of client-side javascript, this is a security hole. The encryption program (TEA) is a javascript file itself. Anybody can read it. It is trivial to modify it in a way that it just print out the encryption key or in a way that it just decrypt the “protected” javascript file without making any check.

    Moreover, the end-user has total, unlimited access to the network comunication channel. He can just read the password (the key) with a network sniffer installed on its PC. No key (and no encryption system) can resist such an attack (well-known as a “man-in-the-middle” attack).

    It is well known that there isn’t any real way to encrypt/protect a javascript file. The best you can do is to obfuscate it.

    If you really need to protect some kind of client-side software, you have to use compiled software (C/C++), encryption and some kind of hardware key. Any other system can easily be “cracked” (as the whole history of computer games can demonstrate).

    • 0