New Javascript Obfuscator Claims To Be The Hardest To Deobfuscate has released what it claims to be the best of the major JavaScript obfuscators. Through a form of masking that makes Source Code unintelligible to the naked eye, such obfuscators raise the barrier to undesirable inspection of Javascript that is otherwise discoverable through the viewing of HTML and .JS files. Though it's hardly foolproof, obfuscators can be useful in situations where easy inspection of source code could lead to the exposure of sensitive information that developers would prefer to be less discoverable (like API keys and application secrets).

It's important to note that "security by obscurity" is defeatable and not to be relied on as the only approach to securing digital assets such as APIs or any source code that calls them. More to the point, including API secrets such as login credentials or API keys in client-side Javascript is highly discouraged. While obfuscators obfuscate the Javascript source-code itself, any data (application data, API keys, login credentials, etc.) that the source-code is passing from the client-side to the server-side must be deobfuscated before it is sent in order for the server-side API Endpoint to properly deserialize that data. Even when that data is encrypted, it is discoverable as we explained in How Hackers Crack Supposedly Secure and Private APIs.

But there are cases where such credentials are not nearly as sensitive as with others where a Javascript obfuscator would come in handy. Not to mention obfuscating server-side Javascript ( Node.js) as an added measure of security for protecting proprietary source code.  In other words, there's a time and a place for obscurity among the many layers of security that add up to well-protected digital assets. Whereas obscurity may not and often cannot deter the most determined of hackers, it raises the barrier to casual hackers who prefer to take advantage of the softest targets. Depending on their respective agendas and intent, such hackers can cause equally disruptive damage as the most determined hacker. 

In the case of, the process is relatively simple. Take the Javascript code that you want to obfuscate, paste it into the obfuscation form at, click the Obfuscate button and returns a chunk of code that, if saved into a PNG file, would produce an legitimate PNG image ( even displays this image for you). But instead of saving the code into a PNG file, you simply substitute it in your source code for the actual Javascript that you obfuscated. Any Javascript interpreter will still know what to do with it. 

According to Sergi Sole, co-founder of Barcelona-based Local Media Network and one of the obfuscator's authors, does a better job of obfuscating Javascript than other leading obfuscators. Sole told ProgrammableWeb "[It] is the same as,, etc., but uses a harder and complex algorithm. We have a challenge on our website to try to deobfuscate a little piece of code obfuscated by our algorithms  and nobody has done it." Addressing the fallibility of obfuscators, Sole said  "It's not impossible, of course. But it's a little hard to do."

In terms of how it's done, Sole said "We inject the code inside a PNG file using six distinct algorithms. So, if you discover how to deobfuscate one of these, you still must discover the other five."

Sole told ProgrammableWeb that was basically developed to scratch an itch. Something like this was needed for his other projects. Now that the site is up, he intends to monetize it with ads. Meanwhile, one important question to get answered when it comes to any online obfuscator is whether or not the site's operator is keeping a copy of the obfuscated code. When asked about trustworthiness, Sole responded that "no information is retained [by us], no source [code], no [IP addresses], nothing."  Even so, you still have to take his word for it.

An API for an obfuscator like this might come in handy. For example, it's not hard to imagine obfuscator API calls being built into a Javascript app dev workflow. But Sole doesn't think's infrastructure is ready for the potential load that might be created by an API. So, for now, it's a manual operation (although this wouldn't stop a third party from building a scraper-based API).


Be sure to read the next Security article: Java Security Improvements Shift Cybercrime Elsewhere