2

Let's say I have a URL as part of a webpage script like this:

<script>
var url = "http://www.example.com";
</script>

I don't want people to be able to read this URL easily. Obviously I realise that once it hits the client side they will be able to reverse engineer my code.

But I'm looking for a lightweight way to disguise this so that people can't just view/click it easily with view:source.

Elazar
  • 20,415
  • 4
  • 46
  • 67
Amy Neville
  • 10,067
  • 13
  • 58
  • 94

3 Answers3

3

See MDN docs, you can use base64:

// Encoding
var encoded = btoa(stringValue);

// Decoded
var decoded = atob(stringValue);

Easily decoded by anybody who knows how to access the browser console.

anotherdave
  • 6,656
  • 4
  • 34
  • 65
Nick Bull
  • 9,518
  • 6
  • 36
  • 58
1

First of all:

This is NOT secure, and i would NOT recommend this for anything security related.

But if you have to do it:

You can use a javascript obfuscator, which basically makes your code unreadable while it still works as i should.

Remember unreadable is not equal to undecodable.

It turns your javascript:

var url = "http://www.example.com";

Into:

var _0x5386=["\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x65\x78\x61\x6D\x70\x6C\x65\x2E\x63\x6F\x6D"];var url=_0x5386[0]

Which is 100% the same code, just unreadable:

var _0x5386=["\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x65\x78\x61\x6D\x70\x6C\x65\x2E\x63\x6F\x6D"];var url=_0x5386[0]

console.log(url); // http://www.example.com

Else take a look at Nick Bull's answer if you want to encode the url, but this will still leave your url readable for the naked eye if reading the javascript code.

This method does also have a weakness to the console window, since anyone could just type in the variable "url" and receive the url.

So all in all, this method will not leave your url in plaintext, but it does have the same console flaw like Nick Bull's answer.

But again, this is NOT secure.

Volomike
  • 23,743
  • 21
  • 113
  • 209
user1509104
  • 132
  • 1
  • 7
  • 2
    It would be secure if you would proper JavaScript protection, javascript obfuscator is easily reversed. Have a look at jscrambler.com – Carl Rck Aug 10 '16 at 11:36
  • Not sure why this answer was voted down. It is the only correct answer so far IMHO. It is super-lightweight compared to Jscrambler and makes the code not easily readable, just what the OP asked. Careful with base64 and other encodings, they are sometimes not supported by all browsers. But this is simple ASCII obfuscation, should work everywhere. – Manuel Oct 20 '19 at 01:55
  • Is there any kind of alternative to obfuscation that is secure, but does the same kind of thing? Or is obfuscation inherently unsecure? – Robby Hoover Oct 19 '21 at 02:35
1

Jscrambler is the best option I have found if you want to conceal anything in your code. You can also add other layers of security to make reverse-engineering unfeasible and make the code detect debugging.

Carl Rck
  • 311
  • 1
  • 7