How much does the file size grow?

Depends on the preset. **Low**: +30-60% (mainly compacting and string array). **Medium**: +150-300% (adds control flow flattening and array rotation). **High**: **+500-1500%** (dead code injection plus self-defending). A 5 KB file on the High preset can grow to 60-80 KB. **Gzip and brotli** help a lot though - the transferred size over the wire is much smaller than the raw figure suggests.

How much will my code slow down at runtime?

Also preset-dependent. **Low**: essentially zero (1-2% overhead). **Medium**: noticeable on hot paths - around **2-5x slower** in functions that touch the rotated string array. **High**: `controlFlowFlattening` plus `deadCodeInjection` can **slow code down 10-30x**. For ordinary UI logic (click handlers, form submits) nobody will notice. For **tight loops, animations, parsers** - do not use the High preset.

Does it work on minified code or a webpack/Vite/Rollup bundle?

Yes. **Obfuscate after minification** (so it is the last step in your build pipeline). Output from `vite build`, `webpack --mode production`, `esbuild` is good input - the obfuscator takes it and tangles it further. To get good gzip ratios, place obfuscation **before gzip** (so the server gzips the obfuscated code).

What about ES modules (import/export), TypeScript, JSX?

The obfuscator accepts **ES2020+** (`import`, `export`, top-level await, optional chaining, etc.). **TypeScript** has to be compiled to JS first (e.g. `tsc`, `esbuild`) - the obfuscator does not read types. **JSX** too - compile it via Babel/SWC into `React.createElement` (or the new `_jsx`), then obfuscate the result.

And source maps? Can I still debug in production?

The obfuscator can emit a source map (`sourceMap: true`), **but that defeats the entire point** - the map is literally a file that translates the obfuscated names back to the originals. If you publish it, anyone clicks "Pretty print" in DevTools and gets clean code. Rule of thumb: **never publish source maps for obfuscated code**. Keep the map private inside Sentry/Rollbar, deobfuscate stack traces on the server side.

Does the output run in every browser?

Yes - the output is standard JavaScript. By default the obfuscator targets **ES2015+** (Chrome 49+, Firefox 45+, Safari 10+). If you have to support IE11, pipe the code through Babel and polyfills first, **then** obfuscate.

Does the code I paste leave my browser?

**No.** The whole process runs in your browser - the `javascript-obfuscator` package loads as JS on your machine, takes your code as a string and returns the result. **Zero network traffic** beyond the initial library download (one-off, cached). You can disable the internet after the page has loaded and the tool will still work.

Can I undo obfuscation if I lose the original?

There is **no reverse "deobfuscate to original" operation** - the obfuscator throws away variable names and structure. You can only **beautify** (Prettier) and rename variables manually ("this _0x4857 looks like a response handler"). That is **hours of work**. **Always keep the source version** in Git - the obfuscated file is a build artifact, not the source of truth.

Which preset should I pick for a regular project?

**Medium** is a sensible default. It makes reading the code meaningfully harder, the runtime overhead is minor, and the file size stays reasonable. Use **Low** when you are obfuscating an entire app bundle (say 500 KB) and do not want to triple its size. Save **High** for **sensitive fragments** - that one 50-line license-check module, not the whole bundle.

JavaScript Obfuscator - free

Why obfuscate JavaScript?

Anything you ship to the browser - JS code, API endpoints, paywall logic, license checks - can be opened in DevTools in 3 seconds and read like a book. Obfuscation is not encryption (that is impossible by definition - the browser still has to execute the code), but it raises the skill bar so a casual `Ctrl+F` in the Sources panel finds nothing interesting.

Variables get renamed to things like `_0x4857`, strings move into an encrypted lookup table, control flow gets "flattened" and tangled, numbers become expressions (`5` becomes `0x1 + 0x4`). Everything still behaves identically at runtime.

Paste your code, pick a preset (Low / Medium / High) or toggle individual options, copy or download the result. Everything runs in your browser - the code never leaves your machine. That matters, because you are usually obfuscating exactly the kind of thing you do not want to share.

How to use

Paste JavaScript code in the left panel or click "Upload file" to load `.js`, `.ts`, `.mjs` from disk.
Pick a preset: Low (light makeup), Medium (sensible default), High (maximum scramble - slower runtime).
Optionally expand advanced options and toggle individual flags (e.g. enable selfDefending, disable deadCodeInjection).
On the right you see the obfuscated output plus a size comparison - the higher the preset, the larger the file.
Test the result in DevTools - it should behave identically to the original. If anything breaks, drop the preset down.
Hit "Copy" to paste into your bundler or "Download" to save as `obfuscated.js`.
Ship the obfuscated version to production. Keep the original code private - the obfuscated file is the artifact, not the source.

When this helps

Concrete situations where obfuscation pays off:

A proprietary client-side algorithm. For example a custom recommendation engine, an original sorting algorithm, a custom browser-game rule set.
License validation in a SaaS app. The client has the JS, but a quick crack ("delete this `if (!valid) return`") is harder when `valid` no longer exists as a name.
Hiding API endpoints. URLs and keys are still visible (to anyone determined enough), but they do not show up in a one-second grep.
Protecting code from competitors. A small company shipping a SaaS library hosted by clients - obfuscation raises the cost of cloning your logic.
Anti-tampering for widgets. Chat widgets, lead-gen forms, analytics snippets - obfuscation makes it harder to modify them live in the wild.
Browser extensions and userscripts. If you distribute a userscript, obfuscation deters "fork and resell as my own".

Next, also optimize your SVG assets or convert HTML to JSX. For real client-side security use a strong password generator instead.

Frequently asked

No. Obfuscation is harder to read, not encrypted. The code still has to execute in the browser, so the JS engine must understand every statement. Anyone willing to put in a little work (5-30 minutes with tools like deobfuscator.io, AST explorer, prettier) can recover readable code. This is a speed bump against script kiddies, not a vault against a determined attacker. Never put real secrets (private API keys, encryption keys) inside obfuscated code - keep those on the backend.

Why obfuscate JavaScript?

How to use

Paste JavaScript code in the left panel or click "Upload file" to load `.js`, `.ts`, `.mjs` from disk.

Pick a preset: Low (light makeup), Medium (sensible default), High (maximum scramble - slower runtime).

Optionally expand advanced options and toggle individual flags (e.g. enable selfDefending, disable deadCodeInjection).

On the right you see the obfuscated output plus a size comparison - the higher the preset, the larger the file.

Test the result in DevTools - it should behave identically to the original. If anything breaks, drop the preset down.

Hit "Copy" to paste into your bundler or "Download" to save as `obfuscated.js`.

Ship the obfuscated version to production. Keep the original code private - the obfuscated file is the artifact, not the source.

When this helps

Concrete situations where obfuscation pays off:

A proprietary client-side algorithm. For example a custom recommendation engine, an original sorting algorithm, a custom browser-game rule set.
License validation in a SaaS app. The client has the JS, but a quick crack ("delete this `if (!valid) return`") is harder when `valid` no longer exists as a name.
Hiding API endpoints. URLs and keys are still visible (to anyone determined enough), but they do not show up in a one-second grep.
Protecting code from competitors. A small company shipping a SaaS library hosted by clients - obfuscation raises the cost of cloning your logic.
Anti-tampering for widgets. Chat widgets, lead-gen forms, analytics snippets - obfuscation makes it harder to modify them live in the wild.
Browser extensions and userscripts. If you distribute a userscript, obfuscation deters "fork and resell as my own".

Next, also optimize your SVG assets or convert HTML to JSX. For real client-side security use a strong password generator instead.

Frequently asked

JavaScript Obfuscator