As you probably know, WiseLoop PHP Javascript Obfuscator is a JavaScript protector that allows you to obfuscate, scramble, minimize, domain lock, set an expiration date and encrypt your JavaScript source code in order to avoid theft.
This section will explain the features of this software product and it will show you how to achieve maximum protection level for your JavaScript files or applications.
Most of the samples below are meant to be used inside a configuration preset file. Please refer to The Configuration Preset to find out more about configuration presets.
Supposing we use the obfuscator directly on JavaScript files like this:
<script src="jso.php?js=some/real/path/to/js/my-js-code.js" type="text/javascript"></script>
WiseLoop PHP Javascript Obfuscator will of course, deliver the obfuscated version of "some/real/path/to/js/my-js-code.js".
But what if someone checks the page source and see the real path where "my-js-code.js" is located? A simple browser request to "some/real/path/to/js/my-js-code.js" will reveal the JavaScript source code.
Use code repository access to hide the real path to JavaScript files and increase the protection level.
Basically, the code repository consists of a list of directories containing the JavaScript files to be protected. The directories can be located anywhere on your server and they will not be revealed when using the obfuscator. So, when using the recommended code repository access the usage wil be:
<script src="jso.php?rjs=repository-name/my-js-code.js" type="text/javascript"></script>
The obfuscator will search through all the directory entries under the "repository-name" for the "my-js-code.js" file. When founded, it wil obfuscate it and deliver it to the requester.
Please refer to The Code Repository section to find out how to setup a JavaScript source code repository.
Using bytecode encryption, the code will be transformed into a byte string that will be decrypted by the JavaScript itself through an also obfuscated boot function.
The dynamic bytecode encryption feature will deliver a different encrypted byte string content on each request making decryption attempts very difficult.
You should use the recommended setting value (1) in order to achieve a decent balance of protection level and payload size.
To enable encryption, put this in your configuration preset file (a zero value means that no encryption will be performed):
$config->ENCRYPTION_LEVEL = 1;
or
$config->ENCRYPTION_LEVEL = 2;
A thief might say: "It is obfuscated? So what? I don't need to understand it, I just want to use it. I will get it and copy it to my web site."
To stop this way of stealing, you have to make your script to work only on your domain.
The domain lock feature will limit the JavaScript code functionality to the current domain only, so the script will stop working if copied to another internet domain.
Of course, you can provide this kind of protection by yourself inside the JavaScript source code; but what if you have more domains? You will have to maintain multiple JavaScript files having exactly the same functionality for each internet domain you hold - this can become very unhandy.
Just put this in your configuration preset:
$config->DO_LOCK_DOMAIN = true;
But what if somehow after many, many hours of hard work a thief manages to decrypt the encrypted code and reach to more readable JavaScript source code that might look similar to your original source code?
"Similar" is the keyword here because if you apply the names replacement obfuscation technique over your original JavaScript code, all the declared variable names will be obfuscated and replaced with self generated ones consisting only of: 'I', 'l', '1' making the code very hard to understand and modify.
Just put this in your configuration preset:
$config->DO_SCRAMBLE_VARS = true;
Enabling Decoy Code Generation will test if the request to the obfuscation engine was made from inside a page and not directly.
This will protect the resulted obfuscated JavaScript code files against direct scrapping.
If direct access attempts to the obfuscated JavaScript code are detected, a trap bogus-decoy source code will be generated so that the possible thief will work in vain if he will try to deobfuscate the code.
Just put this in your configuration preset file:
$config->DO_DECOY = true;
Specifying an Expiration Date will apply a time limit to the functionality of the JavaScript code.
When the given date is reached, the script will stop working.
You can use this feature to enable a subscription type licenses on your JavaScript applications.
Just put this in your configuration preset file (modify the date according to your needs):
$config->EXPIRATION_DATE = '2090-12-12';
The size optimization feature will minify the code by removing comments, carriage returns, line feeds, tabs and white spaces from the original JavaScript source code, making smaller download sizes and also contributing to obfuscation.
Just put this in your configuration preset:
$config->DO_MINIFY = true;
The integrated caching engine will provide fast delivery speeds by avoiding processing of already obfuscated JavaScript files and loading them directly from the cache instead.
Acceptable values:
To enable caching, put this in your configuration preset:
$config->CACHE_LEVEL = 1;
or
$config->CACHE_LEVEL = 2;
When setting expiration time limit and/or locking the internet domain, WiseLoop PHP Javascript Obfuscator can generate code that will alert the user when the time limit has been reached and the script has expired or when it detects running attempt on other internet domains.
Although this can be a fair behaviour, it is not advisable to enable this kind of messages because in this way you give to the potential attacker a clue on what's happening and why its stolen script does not work anymore.
To enable user messages, put this in your configuration preset:
$config->SHOW_JS_LOCK_ALERTS = true;
To disable user messages, put this in your configuration preset:
$config->SHOW_JS_LOCK_ALERTS = false;
You might also want to check wlJSOConfig (MSG_LOCK_DOMAIN and MSG_EXPIRED) properties in order to modify the actual messages.
Obfuscate, scramble, minimize, domain lock, set an expiration date and encrypt your JavaScript code to protect it against theft!
This safe JavaScript anti-theft protection allows you to deliver live obfuscated encrypted JavaScript code by online processing the original source code directly on the server side, so no offline processing is needed. Just copy your original JavaScript source code to the server, and deliver it to the browser through the WiseLoop PHP Javascript Obfuscator and you will be protected against theft.