Menu
So for a long time now I have been under the assumption that, while it does performance gains, one of the primary reasons we minify javascript/css is to give a modicum of obfuscation to it so that it is harder to reverse engineer.
However a friend of mine just showed me how it is not only possible; but extremely simple to just reverse minification on minified javascript and css.
So my question is - other than performance gains, what is the point? Is there any other actual way to protect javascript from being simply stolen right from your site?
713
Minification is the process of minimizing code and markup in your web pages and script files. It's one of the main methods used to reduce load times and bandwidth usage on websites. Minification dramatically improves site speed and accessibility, directly translating into a better user experience.
Minifying strips out all comments, superfluous white space and shortens variable names. It thus reduces download time for your JavaScript files as they are (usually) a lot smaller in filesize. So, yes it does improve performance. The obfuscation shouldn't adversely affect performance.
Minification is just removing unnecesary whitespace and redundant / optional tokens like curlys and semicolons, and can be reversed by using a linter. Uglification is the act of transforming the code into an "unreadable" form, that is, renaming variables/functions to hide the original intent...
Javascript minification is done primarily to increase performance. Upon minification, it's not uncommon to see >25% reduction in script size. On top of this, some minify-ers/compilers will obfuscate your code a little as well, renaming functions and variables to less obvious names.
As you've pointed out, it can always been unminified or pretty-printed, but since Javascript is a non-compiled, client-side language there isn't a whole lot you can do to protect your javascript.
See this link on javascript obfuscation.
If you have proprietary code or code you really don't want users seeing, you'll have to keep it server side. Consider moving it to a server side language such as PHP, Python, C, etc and expose the functions via web services.
194
There is no way to prevent javascript from being stolen directly off your site. It is "stolen" the instant someone visits your site and loads the HTML page or file containing the javascript code. Minification will do nothing more from a security perspective than obfuscate your code from a casual browser. It's primary purpose is for performance.
Rule of thumb: If you don't want the user to have access to it, don't send it to the client/browser.
36
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
