This repository contains a automation Bash script designed to protect and optimize your production JavaScript code. It implements a two-stage pipeline: minification using terser followed by advanced obfuscation via javascript-obfuscator.
Before running the script, make sure you have Node.js and npm installed. The script will automatically install the required developer dependencies upon execution:
chmod +x build.sh
./build.sh
- Dependency Installation: Installs
terserandjavascript-obfuscatorasdevDependencies. - Minification Stage: Compresses the source file
src/app.jsto remove whitespaces, comments, and optimize syntax. - Obfuscation Stage: Transforms the minified code into a highly complex, anti-reverse-engineering format.
Terser is used to reduce file size and perform basic symbol renaming.
--compressEnables code optimization. It removes dead code (unreachable functions/variables), evaluates constant expressions at build time, and optimizes conditional statements.--mangleShortens variable and function names to single or double letters (e.g.,calculateTotalbecomesa). This dramatically reduces file size and makes the code harder to read.--output dist/app.min.jsSpecifies the destination path for the minified output file.
This tool applies advanced obfuscation algorithms to make reverse engineering, debugging, and tampering extremely difficult.
--compact trueRemoves all newline characters and formatting, packing the entire obfuscated code into a single line.--control-flow-flattening trueStructures flattening. Transforms the natural flow of the code (loops, if-else statements) into a complex state machine inside a single loop (usually aswitch-caseblock). This makes the execution path almost impossible to follow visually.--control-flow-flattening-threshold 0.4Sets the probability (40%) that control flow flattening will be applied to any given block of code. Higher values degrade performance but increase protection.--dead-code-injection trueInjects random, useless code blocks that look functional but do nothing. This increases file size but drastically complicates automated AST (Abstract Syntax Tree) analysis.--dead-code-injection-threshold 0.2Specifies that roughly 20% of the obfuscated code will consist of injected dead code.--string-array trueExtracts all string literals (e.g., API URLs, messages, object keys) into a single global array. References to strings in the code are replaced with index lookups (e.g.,_0x2a1b[0]).--string-array-encoding base64Encodes all strings within the global array usingBase64, ensuring that plain-text strings cannot be found using simple text search tools (likegrep).--string-array-threshold 0.75Sets a 75% probability that any specific string will be moved into the string array.--rename-globals falseDisables renaming of global variables and function names. Set tofalseto ensure that standard entry points or scripts relying on global scope do not break.--self-defending trueInjects a self-protection mechanism. If someone attempts to format/beautify the obfuscated code to read it, the script detection kicks in and crashes the application or enters an infinite loop.--debug-protection falseDisables built-in anti-debugging loops. (If set totrue, it would freeze the browser tab if a user opens Developer Tools / Inspector).--disable-console-output trueReplaces allconsole.log,console.info,console.error, andconsole.warncalls with empty functions. This removes debugging logs from production and prevents attackers from gaining insights via the console.
src/app.js— Your original source code (never modified by the script).dist/app.min.js— Production-ready, lightweight minified code.dist/app.obfuscated.js— Fully protected, production-ready obfuscated code.