Obfuscating JavaScript code

I think the operative word in the question here is "afraid." The aversion is based on fear, not fact. The reality is, the threat model isn't particularly realistic. Commercial web software development companies nearly universally use JavaScript these days, obfuscated or otherwise, and I challenge you to find me even a single example of one that's had it's JS stolen by a competitor and then been driven out of business because of it. I'm quite confident that it hasn't happened, and isn't likely too.

Too your second question, do companies like Google obfuscate their JavaScript? Yes, but not for security! They obfuscate to minimize the size of the code, in order to reduce the download size and minimize the page load times. (See the Google Closure Compiler.) This is not necessarily how you'd obfuscate for security because the only goal is to minimize the number of bytes that have to be delivered to the client. This is what you should be focused on with JavaScript, not worrying about whether someone will be able to read it or not.


No. Obfuscating Javascript usually makes no sense whatsoever. Always assume that any logic you place on the client side can easily be obtained by a determined enough attack no matter how you obfuscate it.

Your "important" logic should be stored server side.


You seem to already know that obfuscation isn't actual protection, so I'm not gonna lecture you on security by obscurity.

What makes sense is this: Put your competitive code on the server to protect it, then obfuscate client-side code as much as you want. Granted, it won't give you much security but it'll definitely deter kiddies snooping around, and it'll create an impression of stronger security as a part of security theatre. Google is doing it with GMail, Facebook is doing it.

Keeping in mind that your code will be deobfuscated, you can still obfuscate it as a part of your build process to make your clients and users happier.

There are many tools you can use to achieve that: Free Javascript Obfuscator, and JScrambler (commercial) are two tools I've used before.

Update: After a discussion on The DMZ, we've concluded that yes, Google and Facebook are doing it, but probably only for file size and performance and there's doesn't seem to be anything that suggests it's part of security theatre.