Jscrambler Client-Side Countermeasures

Jscrambler allows you to lock your code to specific domains, browsers, dates and operating systems. This functionality is great when coupled with anti-tampering and anti-debugging capabilities since it ensures the code is running how it was designed to and in the correct environment.

Jscrambler also allows you to choose behaviors which are triggered whenever someone breaks the locks in the code or tries to debug the application and tamper with it. The following section describes each of the behaviors you can select regarding Jscrambler's Code Locks and Self-Defending transformations.


Break Application

This is the default behavior and is enabled by default. Whenever someone breaks a lock in your code or tries to tamper with the application the application will stop working.

Note that removing this capability is only possible on Jscrambler's Code Locks, not on the Self-Defending transformation.

Custom Callback Function

This functionality was previously known as warningFunction.

This option allows supplying the transformation with a name of a function which will be called when someone breaks any lock or tries to debug or tamper with the application. The function should be inside of the code which is being protected and its functionality is totally up to the user. It could, for example, contact a server informing that someone is trying to run the code after it has expired (date lock) or trigger a pop-up message.

Delete Cookies

This option will delete all the cookies which do not have a path property set neither have been created with the HttpOnly flag.


This option will trigger a redirect to a specified URL.

Our current redirect approach as a countermeasure currently is not supported on browsers that came out prior to Internet Explorer 9 as it would require extra logic only for a small amount of use cases.

If the user wants to add this behaviour for Internet Explorer 8 (the oldest version Jscrambler supports) it can be done using the Custom Callback countermeasure.

The function invoqued should be similar to the following:

function redirect (url) {
  var ua = navigator.userAgent.toLowerCase();
  var isIE = ua.indexOf('msie') !== -1;
  var version = parseInt(ua.substr(4, 2), 10);

  if (isIE && version < 9) {
    var link = document.createElement('a');
    link.href = url;


These behaviors can be selected for each of Jscrambler's locks and for the Self-Defending transformations as well.

Web App

To enable any countermeasure, select the checkboxes relative to each of the behaviors and fill the extra parameterization if needed. Below is an example of the attack response options:



Our CLI and our other packages such as webpack and gulp allow for specifying the attack response options through the configuration:

  "keys": {
    "accessKey": "myAccessKey",
    "secretKey": "mySecretKey"
  "applicationId": "myApplicationID",
  "params": [
      "name": "browserLock",
      "options": {
        "browsers": [
        "countermeasures": {
          "customCallback": "callbackFunction",
          "deleteCookies": true,
          "redirect": "https://www.example.com",
          "breakApplication": true
  "areSubscribersOrdered": false,
  "applicationTypes": {
    "webBrowserApp": true,
    "desktopApp": false,
    "serverApp": false,
    "hybridMobileApp": false,
    "javascriptNativeApp": false,
    "html5GameApp": false
  "languageSpecifications": {
    "es5": true,
    "es6": false,
    "es7": false