Prevent Javascript games tweaking/hacking

Question

Thanks to the recent browsers enhancements, developing games with canvas and javascript has become a good option, but now that the code is easily accessible, just writing

javascript:score=99999

or

javascript:lives=99

Will spoil the game objectives.

I know that with some server-side checking something can be done, but I would prefer to access the server just to store player stats at the end, or even have it client only in most cases.

I wonder if at least the are some best pratices to start with.

(using not so obvious variables names is a start, but not enough)

-Added-

Thanks for the replies, I was looking to improve the client-side code, enough to stop "casual hackers", but still leaving the code as clean as possible. Anyone that really wants to hack it will succeed anyway, even with server-side checks, as I've seen it in many flash games.

Answer 1

I'll say what I said at my comment: put every source code in (function(){ }());. Then, the variables and functions can't be accessed from outside.

Example:

(function(){
    var a = 'Foo';
    var b = 42;
    function helloWorld(a,b){
        for(i=0;i<b;i++)console.log(a);
    }
    helloWorld(a,b);
});
//Can't access to a, b, or helloWorld using javascript: or default console of Google Chrome,
//but people still can see by looking source code and may be modified by other tools
//(see comments of Tom & user120242)

I 'learned' this technique this when I dig into Les Paul Google Doodle.

To be more secure (not completely secure, but it'll annoy some hackers), compress and obfuscate your script by tools something like YUI compressor or packer.

Answer 2

One way is to send a record of every move to the server as well, then to verify that those moves would have got that score.

That's easy for games like solitaire or chess, but not really for more complex games.

A simpler version of that is to work out the max points that could be obtained per second, or per move, then to verify that the score isn't higher than your theoretical maximum.

Another way is for each move to be recorded on the server, and to total up the score there. That means there is no send at the end of the game, and that those variables are only for display, not the real score.

Offline games could be starred on the highscore table or something to show they aren't verified.

It's worth pointing out that with any javascript debugger, such as the Inspector in Webkit, Firebug for Firefox or Dragonfly on Opera it's trivial to change the value of variables on the client side, even if your code is in a closure. Any form of obfuscation is pointless, as again it's easy to watch which variable corresponds to the score as the game is played, and any encoding or whatever can simply be read out of the code.