I'm trying to find a way to make my JavaScript code invisible in the browser's developer console, but still usable. If that's not possible, I need a way to make it runable only on a specific website. Thanks in advance.
3
-
Use a code minifier or obfuscator. Google will help. Second thought. Use a database with unique keys. Only the website with the correct key can use your script.Mouser– Mouser2015-02-21 14:03:16 +00:00Commented Feb 21, 2015 at 14:03
-
I like the second solution. Is there an example how should it work?Anonymous ME– Anonymous ME2015-02-21 14:06:41 +00:00Commented Feb 21, 2015 at 14:06
-
2It's extremely hard to prevent someone browsing the site from seeing the JS, because ultimately their browser needs all the code to actually run it. Other than obfuscation, the only way is to simply run less in the client - e.g. run the same code in node.js on your server, and send the browser the rendered page.IMSoP– IMSoP2015-02-21 14:18:00 +00:00Commented Feb 21, 2015 at 14:18
Add a comment
|
1 Answer
Internet Site
For a public website, what you want isn't possible. You can obfuscate the code, but you cannot make it invisible, as the browser is under the user's control and the browser needs the code to execute it, so the user can always force the browser to reveal the code.
Of course you could make the obfuscation more elaborate than just an uglification, thereby getting into DRM topics. But that still wouldn't keep anyone getting hold of the (obfuscated) script to still run it, and possibly reverse-engineer it.
As JavaScript code is running on your users' machines, they have to trust it. (To some extend. It runs sandboxed in the JavaScript runtime, so it can't do too much harm.) Obfuscating the code beyond minification will make you look very suspicious, as it'd suggest you have to hide functionality that'd hurt your users or their machine.
So as others have already commented, code that has to be secret will have to be run server-side only, so that only the results will reach the client.
Controlled Environment
It's different in an intranet scenario where the respective IT department might have exclusive control over both, the intranet server and the client computers. There, the IT department could just disable inspection features of the installed browsers. Additionally they would have to make sure that the user has no ability to otherwise download the script or to scrape it from the browser cache.
Effectively, this would require computers set up to be used as web kiosks (web terminals without the ability to run arbitrary programs), only. Off course, the network or the intranet server would have to reliably authenticate these trusted client machines, or someone could just bring and plug in their own machine to get the JavaScript code.
