Skip to content

Instantly share code, notes, and snippets.

@santaklouse
Created June 7, 2026 00:04
Show Gist options
  • Select an option

  • Save santaklouse/bb383baf21b44a8fe927966775c7e65c to your computer and use it in GitHub Desktop.

Select an option

Save santaklouse/bb383baf21b44a8fe927966775c7e65c to your computer and use it in GitHub Desktop.
Bash script to minify and heavily obfuscate JavaScript files using Terser and javascript-obfuscator.

JavaScript Minification & Obfuscation Script

This repository contains a automation Bash script designed to protect and optimize your production JavaScript code. It implements a two-stage pipeline: minification using terser followed by advanced obfuscation via javascript-obfuscator.

Table of Contents

Prerequisites

Before running the script, make sure you have Node.js and npm installed. The script will automatically install the required developer dependencies upon execution:

chmod +x build.sh
./build.sh

How It Works

  1. Dependency Installation: Installs terser and javascript-obfuscator as devDependencies.
  2. Minification Stage: Compresses the source file src/app.js to remove whitespaces, comments, and optimize syntax.
  3. Obfuscation Stage: Transforms the minified code into a highly complex, anti-reverse-engineering format.

Detailed Parameter Configuration

Terser Options

Terser is used to reduce file size and perform basic symbol renaming.

  • --compress Enables code optimization. It removes dead code (unreachable functions/variables), evaluates constant expressions at build time, and optimizes conditional statements.
  • --mangle Shortens variable and function names to single or double letters (e.g., calculateTotal becomes a). This dramatically reduces file size and makes the code harder to read.
  • --output dist/app.min.js Specifies the destination path for the minified output file.

JavaScript Obfuscator Options

This tool applies advanced obfuscation algorithms to make reverse engineering, debugging, and tampering extremely difficult.

  • --compact true Removes all newline characters and formatting, packing the entire obfuscated code into a single line.
  • --control-flow-flattening true Structures flattening. Transforms the natural flow of the code (loops, if-else statements) into a complex state machine inside a single loop (usually a switch-case block). This makes the execution path almost impossible to follow visually.
  • --control-flow-flattening-threshold 0.4 Sets the probability (40%) that control flow flattening will be applied to any given block of code. Higher values degrade performance but increase protection.
  • --dead-code-injection true Injects random, useless code blocks that look functional but do nothing. This increases file size but drastically complicates automated AST (Abstract Syntax Tree) analysis.
  • --dead-code-injection-threshold 0.2 Specifies that roughly 20% of the obfuscated code will consist of injected dead code.
  • --string-array true Extracts all string literals (e.g., API URLs, messages, object keys) into a single global array. References to strings in the code are replaced with index lookups (e.g., _0x2a1b[0]).
  • --string-array-encoding base64 Encodes all strings within the global array using Base64, ensuring that plain-text strings cannot be found using simple text search tools (like grep).
  • --string-array-threshold 0.75 Sets a 75% probability that any specific string will be moved into the string array.
  • --rename-globals false Disables renaming of global variables and function names. Set to false to ensure that standard entry points or scripts relying on global scope do not break.
  • --self-defending true Injects a self-protection mechanism. If someone attempts to format/beautify the obfuscated code to read it, the script detection kicks in and crashes the application or enters an infinite loop.
  • --debug-protection false Disables built-in anti-debugging loops. (If set to true, it would freeze the browser tab if a user opens Developer Tools / Inspector).
  • --disable-console-output true Replaces all console.log, console.info, console.error, and console.warn calls with empty functions. This removes debugging logs from production and prevents attackers from gaining insights via the console.

Output Files

  • src/app.js — Your original source code (never modified by the script).
  • dist/app.min.js — Production-ready, lightweight minified code.
  • dist/app.obfuscated.js — Fully protected, production-ready obfuscated code.
#!/usr/bin/env bash
npm install --save-dev javascript-obfuscator terser
npx terser src/app.js \
--compress \
--mangle \
--output dist/app.min.js
npx javascript-obfuscator dist/app.min.js \
--output dist/app.obfuscated.js \
--compact true \
--control-flow-flattening true \
--control-flow-flattening-threshold 0.4 \
--dead-code-injection true \
--dead-code-injection-threshold 0.2 \
--string-array true \
--string-array-encoding base64 \
--string-array-threshold 0.75 \
--rename-globals false \
--self-defending true \
--debug-protection false \
--disable-console-output true
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment