Hiding JavaScript source code

Javascript code executes on the client browser, so the client browser sees the code, and every user can obtain it. At best you can obfuscate the code so as to (try to) hide its meaning and behaviour. Obfuscation will not deter motivated attackers (it will just makes them a bit angrier), so it would be quite unwise to use it as foundation for your security model.

If you want to hide code, don't send it to the attacker's machine; keep it on the server side.


This is not possible because you cannot enforce a client's behavior. Any requests the client makes can be intercepted and manipulated with TamperData or BURP. Any JS that is executing on a client can be debugged using FireBug.

I have seen some developers go the path of (in)security though obscurity, which I consider to be a carefully engineered vulnerability that should be avoided entirely.


First, any server-side javascript that you may run (e.g., if you webserver is node.js) should be hidden from visitors. Any client-side javascript must be downloaded by users to run on their browsers, and can't be hidden. You can minify/uglify your code and if you want, and you shouldn't feel compelled to also serve the original un-minified version. However, they still have fully functional minified code on their machine; the main difference is that the minified version no longer has convenient descriptive names for humans to parse out. This makes it a little bit more difficult to step through the client-side logic, but its relatively straightforward to do as you have a JS debugger built into most modern browsers.

Bottom line: You cannot assume or rely on your client-side javascript being secret -- its run by the browser.