JavaScript code works in web browsers of users and is available to them for analysis and other actions. If you asked yourself the question “Why should I obfuscate my JavaScript code?”, there are some reasons why it is recommended to protect the code, for example:

  • Do not let anyone just copy/paste your work. This is especially important for 100% client projects such as HTML5 games;
  • Removing comments and spaces that are not needed. Faster downloads and increased difficulty to understand;
  • Protection of works that have not yet been paid. You can show your work to the client, knowing that he will not have the source code until the bill is paid;
  • Protection against site proxying, proxying programs can change all internal links, thanks to obfuscation JavaScript can be protected from automatic parsers.

See also the article “How to deobfuscate JavaScript code”.

Obfuscated JavaScript is slower!

The article referenced above explains the difference between minifying and obfuscating the source code. In addition to the method of their implementation and ease of restoration to their original form, the result also varies in performance.

Minified code: it is downloaded faster from the server, as it has a smaller size, its performance is the same as the code in the original version.

Obfuscated code: it usually has a larger size and is almost always slower (by tens of percent), because in addition to the main function, the related actions are performed to run the code.

So, minified code: it’s easy to restore to its original form, performance does not drop.

Obfuscated code: (very) difficult to restore to its original form, code performance drops. You can add self-defense and debugging protection to obfuscated code, as well as meaningless pieces of code that will greatly complicate its analysis.

Conclusion: obfuscate only the code that you want to protect. That is, it makes sense to obfuscate your code, but it makes no sense to obfuscate the code of popular JavaScript libraries, which are already publicly available in their original form.

Programs to minify and obfuscate JavaScript

This article will discuss various tools and methods for protecting and optimizing JavaScript code.

Btoa and atob functions

In simple cases, bulky obfuscation tools are not needed to protect against parsers and it’s quite simple to “hide” some strings.

To make it clear, I’ll give you an example. Someone began to proxy my site on another domain, that is, the contents of the site are displayed and all links to another's domain are replaced in it, so that when clicking on the links the user remains on this extraneous site.

Since the site was copied completely, along with all the scripts, it’s enough to add a similar code:

        if (/(www\.)?kali\.tools/.test(window.location.hostname)) {

        else {
	     window.location = '';

This code checks on which domain the page is open, and if this page is not on the domain, then it redirects to

The problem is that during proxying all links to are replaced with, as a result, the code turned into:

        if (/(www\.)?kali\.tools/.test(window.location.hostname)) {

        else {
	     window.location = '';

The code can be obfuscated (but it’s not enough to just minify it!). But it’s even easier to hide the “” string using the btoa and atob functions.

The btoa and atob functions are built-in JavaScript functions and are always available.

The btoa function convert the specified string into a character set (works like Base64), and the atob function performs the reverse operation.

Short description of function results:

btoa('Some text'); // U29tZSB0ZXh0
atob('U29tZSB0ZXh0'); // Some text

So, let's see what the line “" turns into:




Now in my simple code, we use the atob function to invert the conversion of this string, we get:

if (/(www\.)?kali\.tools/.test(window.location.hostname)) {

else {
	window.location = atob('aHR0cHM6Ly9rYWxpLnRvb2xz');

The given code does exactly what I need – it checks on which domain the site was opened and if it is not, it redirects to At the same time, when proxying a site, parsers do not see the string and do not make any changes to this code fragment.

JavaScript Obfuscator

JavaScript Obfuscator is a powerful obfuscator with many options. Using JavaScript Obfuscator, you will get code that is really hard to understand. Additionally, JavaScript Obfuscator can integrate debugging protection (when you open the Debug panel in the Development Tools in browsers, the browser will freeze), self-protection code (insertion of meaningless fragments, etc.). JavaScript Obfuscator has many subtle options for adjusting the obfuscation process.

This tool has both a web interface and a command line interface.

JavaScript Obfuscator online

Instead of installing on a computer, you can use the online service from the authors, it is located at:

How to install JavaScript Obfuscator

Installation on Kali Linux

sudo apt install npm
sudo npm install --save-dev javascript-obfuscator
sudo ln -s ~/node_modules/javascript-obfuscator/bin/javascript-obfuscator /usr/local/bin
javascript-obfuscator -h

Installation in BlackArch

sudo pacman -S npm
sudo npm install --save-dev javascript-obfuscator
sudo ln -s ~/node_modules/javascript-obfuscator/bin/javascript-obfuscator /usr/local/bin
javascript-obfuscator -h

How to install Obfuscator JavaScript GUI

Installing Obfuscator JavaScript web interface on Kali Linux

sudo apt remove cmdtest
sudo apt install npm
sudo npm install -g yarn
sudo npm cache clean -f
sudo npm install -g n
sudo n stable
git clone
cd javascript-obfuscator-ui/
npm run updatesemantic
npm run webpack:dev
node server.js

After that, the web interface will be available at http://localhost:3000/

Installing the Obfuscator JavaScript Web Interface on BlackArch

sudo pacman -S npm yarn
git clone
cd javascript-obfuscator-ui/
npm run updatesemantic
npm run webpack:dev
node server.js

After that, the web interface will be available at hhttp://localhost:3000/

You will find a detailed description of options and examples of launching JavaScript Obfuscator at

To obfuscate JavaScript code on the command line in the script.js file:

javascript-obfuscator script.js

For example, with the default options, the code:

if (/(www\.)?kali\.tools/.test(window.location.hostname)) {

else {
	window.location = atob('aHR0cHM6Ly9rYWxpLnRvb2xz');

Turns into:

var _0x2001=['test','aHR0cHM6Ly9rYWxpLnRvb2xz','location','hostname'];(function(_0x20ce42,_0x200145){var _0x20e03c=function(_0x46b9e3){while(--_0x46b9e3){_0x20ce42['push'](_0x20ce42['shift']());}};_0x20e03c(++_0x200145);}(_0x2001,0xed));var _0x20e0=function(_0x20ce42,_0x200145){_0x20ce42=_0x20ce42-0x0;var _0x20e03c=_0x2001[_0x20ce42];return _0x20e03c;};if(/(www\.)?kali\.tools/[_0x20e0('0x3')](window['location'][_0x20e0('0x2')])){}else{window[_0x20e0('0x1')]=atob(_0x20e0('0x0'));}


JSFuck is a very unusual obfuscator, it can represent any JavaScript code with a record of only six characters, namely []()!+

Such notation can put a dead end stronger than the output of the JavaScript Obfuscator discussed above. But, in fact, the obfuscated code can be restored to its former form, for example, with the JStillery tool.

How to install JSFuck

Installation on Kali Linux

git clone
cd jsfuck
php -S

After that, JSFuck will be available at http://localhost:8181/

Installation on BlackArch

sudo pacman -S jsfuck

Installation on Windows

Download and unzip the archive with the program:

Open the index.html file of their archive in a web browser.

Regardless of the installation method, it is recommended to replace the string in the index.html file

<input id="input" type="text" value="alert(1)"/>

with line:

<textarea id="input">alert(1)</textarea>

As a result, you can enter for obfuscation not only individual lines, but also large pieces of code.

The following code is working, you can save it to a file with the extension .htm and open it in any web browser:


Agree, this is very unusual! But that's not all! The author of JSFuck prepared completely unrealistic concepts that explode the brain:

  • JavaScript recording by symbols of any language, including hieroglyphs or a nonexistent language from Star Wars
  • invisible javascript
  • JavaScript fully written as ASCII

These extremely entertaining examples will be considered at the end of this article, since they have more educational (than practical) significance.

Online code obfuscation service

An online service, it does not have many options:

The resistance of the resulting code for deobfuscation is rather weak, it can be deobfuscated with the tools discussed in the article “How to deobfuscate JavaScript code”.

Sample code for obfuscation:

if (/(www\.)?kali\.tools/.test(window.location.hostname)) {

else {
	window.location = atob('aHR0cHM6Ly9rYWxpLnRvb2xz');

The result obtained:

eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('4(/(3\\.)?2\\.5/.a(0.1.6)){}8{0.1=7(\'9\')}',11,11,'window|location|kali|www|if|tools|hostname|atob|else|aHR0cHM6Ly9rYWxpLnRvb2xz|test'.split('|'),0,{}))

All online JavaScript obfuscation services


UglifyJS tool does a great job of minimizing JavaScript code.

How to install UglifyJS

Installation on Kali Linux

sudo apt install uglifyjs

Installation in BlackArch

sudo pacman -S uglify-js

Launch example (to compress the code in the redir.js file):

uglifyjs redir.js -c

Source code example:

if (/(www\.)?kali\.tools/.test(window.location.hostname)) {

else {
	window.location = atob('aHR0cHM6Ly9rYWxpLnRvb2xz');

An example of the result:


This tool has many configuration options, a full list can be found at

slimit and python-jsmin

The slimit and python-jsmin programs are Python modules for compressing JavaScript source code.

Slimit installation

In Kali Linux:

sudo apt install slimit

In BlackArch:

sudo pacman -S slimit

Program website:

To install python-jsmin on BlackArch:

sudo pacman -S python-jsmin

Program website:

The most difficult JavaScript obfuscation

I already mentioned that the author of JSFuck prepared the most unusual forms and examples of JavaScript, a list of them can be found on the website Here are some of them:

For example, code written in Thai characters:


Code written with just in Xs:


This is workable code that you can put in <script> … </script> tags and open it in a web browser.

In the last example, you cannot steal JavaScript code by copy-paste!

