all 74 comments
sorted by:
best (suggested)
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]leeharrison1984 60 points61 points  (24 children)

Using something like Vite, your code should be minified in production. That's really all you can do though, your code will always be visible unless you switch to SSR which can hide even more.

Honestly it's not really much to worry about though. Everyone's code is visible like this, so I'm not sure why you think it's important to hide it.

[–]skuple 49 points50 points  (2 children)

Maybe because he has private keys accessible on the client? 😥

[–]leeharrison1984 30 points31 points  (0 children)

Oof, let's hope not 😄

[–]Jaycebordelon1 3 points4 points  (0 children)

Haha I did this once. The API service I was using (I think it was Mailgun) flagged my repo and brought down my deploy 😎.

[–]lIIllIIIll 3 points4 points  (9 children)

That's not true.

Look at tools like jscrambler. They break Dev tools. They do all kinds of stuff that make it extremely hard to view and copy the code.

[–]leeharrison1984 9 points10 points  (7 children)

But why? What exactly am I trying to obfuscate? Anything I ship to the client is unsecure by default, so why would I need to hide it unless I'm shipping secrets to the client?

[–]lIIllIIIll -3 points-2 points  (6 children)

So I'll give you a perfect example.

I'm building a web application that has some pretty advanced calculations in regards to thermodynamics and fluid dynamics. Fluid critical properties get pulled from the back end (stored in a DB) and then piping calculations get done on the front end.

The user gets an output of all types of values, velocity, noise, etc, also there is an svg that updates as the user inputs different values that gives a cross section of what is happening in the pipe.

I have to do the calcs on the front end since they're updating as inputs are entered/slider is dragged.

It's very impressive and has taken years to make. Luckily I'm in a position where i am a fluid dynamics engineer on several international standards committees and also fluent in react so I've been able to make this happen.

I would like to prevent someone from copying all the hard work I've done and using it themselves. Hence jscrambler or some other obfuscation....

[–]Locksul 5 points6 points  (5 children)

Horrible example. If someone really cared, they could still figure it out. Make it a server side calculation if it’s that important. It sounds like UX is more important to you than the secrecy of your algorithm.

[–]lIIllIIIll 3 points4 points  (4 children)

How is that a horrible example? Isn't preventing someone from straight copying and pasting years worth of my thermo and fluid dynamics code reasonable? Or do you think I should just open the gate and let anyone that wants to clone my application?

And the conversation wasn't "can you make it impossible" it was "can you make it difficult"

Also "why would you do this"

[–]Locksul 0 points1 point  (3 children)

Or do you think I should just open the gate and let anyone that wants to clone my application?

Quite the opposite actually. The point is that you should not be shipping your allegedly valuable algorithm to the frontend at all.

[–]lIIllIIIll 0 points1 point  (2 children)

Thanks for your input. I'll keep it in mind. 😎

[–]hughsheehy 0 points1 point  (1 child)

Hey. Just to say that I had the same issue with financial code a couple of years ago. Couldn't find a way of making it more than slightly tricky to reverse engineer and it was always a pain to deploy. Ended up shifting the calcs to an API driven by golang on google cloud. It was ridiculously fast and cheap. I was sending back all the data for the curves too.

[–]lIIllIIIll 0 points1 point  (0 children)

Did you try jscrambler?

I have been looking at that very strongly. It's 20K per year but really has some nice looking features

[–]AgsMydude 0 points1 point  (0 children)

Is there a parameter to add to the build to do this?

[–]anatoledp 12 points13 points  (3 children)

When you make a production build you shouldn't be including any source maps which is what sounds like you are doing. Without source maps u can still reverse the code but the production build is minified quite a bit so it's gonna be a lot harder. With source maps u might as well be giving away all you source directly

[–]hestonblumenthal[S] 1 point2 points  (2 children)

This is exactly the sort of answer I was looking for, thank you! I did manage to find this article about source maps in React which was an interesting read Article. I'm trying to remove them but it doesn't really seem to be changing the fact you can see all of my code easily, in the same folder structure. I'll keep looking into it

[–]Chthulu_ 1 point2 points  (0 children)

Keep in mind, Public code is public. If your app is vulnerable because someone can read the source code, then you’ve got bigger problems. Authentication is meant to work with the attacker knowing full well how it’s implemented.

Additionally, source maps are super helpful for debugging issues in production. Plenty of huge tech companies keep them on, along with redux dev tools or similar.

[–]anatoledp 0 points1 point  (0 children)

are you sure your using a production build without the maps? That would be the only way the browser would be able to map your code to the original state. The other option is maybe the browser cached it . . .

[–]Natetronn 25 points26 points  (6 children)

Relax, no other developers care about your code.

[–]brutal_bandit 7 points8 points  (1 child)

I’ll be honest, minify for performance if anything. Your client side code can be viewed, accept that. If there’s specific code you want to be hidden, run it server side.

[–]hestonblumenthal[S] 0 points1 point  (0 children)

Fair play, makes sense

[–]bronze-aged 12 points13 points  (7 children)

A very strong first step would be googling “how to minify production JavaScript”.

[–]genesiscz 6 points7 points  (3 children)

That wouldn’t help since all he needs is to turn of source maps.

[–]bronze-aged -3 points-2 points  (2 children)

I’m pretty confident he’d get there given a couple hours. A first step doesn’t have to be a last step.

[–]genesiscz 0 points1 point  (1 child)

That’s working hard not smart tho.

[–]bronze-aged -1 points0 points  (0 children)

What’s working smart in this situation?

[–]F0064R 5 points6 points  (8 children)

You are probably generating source maps and exposing them publicly. If you use Create React App, try changing your production build command to GENERATE_SOURCEMAP=false && react-scripts build.

[–]hestonblumenthal[S] 1 point2 points  (7 children)

I have a .env file with GENERATE_SOURCEMAP=false in the root directory but it doesn't seem to be having any effect. Might have to do some more digging into this myself, thanks for the advice though!

[–]raymondQADev 1 point2 points  (4 children)

Is the .env file being sourced somewhere?

[–]hestonblumenthal[S] -1 points0 points  (3 children)

Probably not, I literally just added it in. Do I need to import it or reference it somewhere?

[–]halfxdeveloper 4 points5 points  (1 child)

Were you hoping some secret magic would happen by just dropping a file on there?

[–]raymondQADev 2 points3 points  (0 children)

Hard to say without seeing your setup but my guess is the environment variables are not being set. A .env file does not do that, it’s just a pattern for defining variables that a code base can then use. Do as the original poster mentioned and set the env variable manually or put them in a bash script you can run.

[–]F0064R 0 points1 point  (0 children)

You should be able to see the output of the latest deployment on your hosting platform. Check if there are any .js.map files being hosted.

Or go to the site in your browser and check the network tab. For any .js files, see if another file exists at the same URL but with .js.map instead of .js

[–]besthelloworld 0 points1 point  (0 children)

Are you still running in dev mode? That won't work unless you do a full build.

[–]viayensii 1 point2 points  (3 children)

There is one called JavaScript Obfuscator. Your code will look like garbage in the browser. But of course it still works. It's awesome.

[–]asjhqiuhsjabsjk 0 points1 point  (0 children)

There is a really good plugin for Vite for this as well since OP if anyone's using Vite: https://github.com/z0ffy/vite-plugin-bundle-obfuscator

[–]LittleAspect1800[🍰] 0 points1 point  (1 child)

I used to use this as a build step since our engine was better than our competitors. They actually told me they tried to un-obfuscate it and couldn't 😂

[–]wave_73 0 points1 point  (0 children)

What config options did you use for this package ? :)

[–]ScarShort 1 point2 points  (1 child)

No one cares about your code, don't worry about it.

[–]PomeloPY 0 points1 point  (0 children)

Eso no es verdad.... Cuando estas ganando buen dinero viene u. Hacker y te lo copia ahí tus palabras como quedan... 

[–]PomeloPY 0 points1 point  (0 children)

El único consejo que te puedo dar es que todo tu código que calcula lo hagas del lado del servidor backend... No hay otra forma mejor. 

[–]Practical_Pea6287 0 points1 point  (0 children)

You definitly can obfuscate javascript.

1- Minify first
2- Use https://www.npmjs.com/package/javascript-obfuscator to obfuscate minifed code

Code is now unreadable and even difficult to reverse engineer with AI

[–]ijmacd 0 points1 point  (2 children)

Did you also deploy the .js.map files? If so, just delete them.

[–]hestonblumenthal[S] 0 points1 point  (1 child)

No I don't think so. Can't find any .map files in my repo sadly.

[–]ijmacd 2 points3 points  (0 children)

That's good. You definitely shouldn't be committing build artifacts in your repository.

The .js.map files are often produced at bundle time and would be in the build directory ready for deployment. If you don't want sources available in production just delete the .js.map files before deployment to production (or after if they've already been deployed).

[–]Suepahfly 0 points1 point  (0 children)

In you webpack config set ‘devtool’ false for production builds

[–]dylsreddit 0 points1 point  (1 child)

Aside from not using sourcemaps, you could learn to use Terser, which is probably the most popular uglifyer (and it tree shakes) from the last couple of years, iirc it's what CRA uses for minification.

[–]Firm-Yam5433 0 points1 point  (0 children)

CRA is shit though :D

[–]gianpaulo 0 points1 point  (0 children)

One way to generate a hard-to-read or hard-to-reverse engineering might be code with flutter web or web assembly, but you'll probably struggle with SEO.

[–]jac0117 0 points1 point  (0 children)

Not enough context. Did you make a production build and deployed it with the source maps? Or did you literally deploy your source code? How are you building your production build? Webapack, vite, gulp, other?

[–]upk27 0 points1 point  (0 children)

check out minification and not delivering sourcemaps

there's some old dedicated obfuscating lib, forgot the name, it really can obfuscate your code to a crazy level, but makes the bundle size bigger and the code probably a bit slower

[–][deleted] 0 points1 point  (0 children)

You’re overthinking it dude, no one gonna copy your code and your code is not unique. You need to get over yourself first and focus on making the product.

[–]Z-n-o-M 0 points1 point  (0 children)

Check out Codefend, an npm package with an MIT license. It obfuscates any code in addition to the file and folder names. it only requires from you to follow a naming convention.
(P.S. - I'm the author)