Integrating Jscrambler with Node.js

Last updated: 9 Sep 2024

Framework versions tested: 16 ● 18 ● 20 ● 22

Introduction

Node.js is an extremely popular and open-source JavaScript runtime environment to create server-side applications.

Example Node.js App

For the purposes of this tutorial, we will be creating a simple "Hello World" Express.js app. It simply contains an app.js file inside a lib folder with the following code:

// lib/app.js

// to install express library run:
// npm install express
const express = require('express')
const app = express()
const port = 3000

app.get('/', (req, res) => {
  res.send('Hello World!')
})

app.listen(port, () => {
  console.log(`Example app listening at http://localhost:${port}`)
})

Integrating Jscrambler with Node.js

If you haven't tried Jscrambler out before reading this tutorial, please consider reading the Getting Started Guide, which will walk you through the steps on how to protect your application. This will make this section easier to grasp. It will also teach you how to configure Jscrambler and use a custom configuration.

To complete the integration with Jscrambler, you need a JSON configuration file with your API credentials, application ID, and protection configuration. You may create your transformations recipe using the Jscrambler Web application and download a JSON configuration file or use the following example for a quick test. This file should be named .jscramblerrc and placed on the project's root folder. If you choose to try the following example, just make sure to fill the missing information: accessKey, secretKey and applicationId.

{
 "keys": {
   "accessKey": <ACCESS_KEY_HERE>,
   "secretKey": <SECRET_KEY_HERE>
 },
 "applicationId": <APP_ID_HERE>,
 "filesSrc": [
   "lib/*.js"
 ],
 "filesDest": "./protected/",
 "params": [
    {
      "name": "objectPropertiesSparsing"
    },
    {
      "name": "variableMasking"
    },
    {
      "name": "whitespaceRemoval"
    },
    {
      "name": "identifiersRenaming",
      "options": {
        "mode": "SAFEST"
      }
    },
    {
      "name": "globalVariableIndirection"
    },
    {
      "name": "dotToBracketNotation"
    },
    {
      "name": "stringConcealing"
    },
    {
      "name": "functionReordering"
    },
    {
      "options": {
        "freq": 1,
        "features": [
          "opaqueFunctions"
        ]
      },
      "name": "functionOutlining"
    },
    {
      "name": "propertyKeysObfuscation",
      "options": {
        "encoding": [
          "hexadecimal"
        ]
      }
    },
    {
      "name": "regexObfuscation"
    },
    {
      "name": "booleanToAnything"
    }
  ],
  "areSubscribersOrdered": false,
  "useRecommendedOrder": true,
  "jscramblerVersion": "stable",
  "tolerateMinification": false,
  "profilingDataMode": "off",
  "useAppClassification": true,
  "browsers": {}
}

Install the Jscrambler API Client:

npm install jscrambler --save-dev

Protect the application:

jscrambler

There you go. The protected version of lib/app.js was place inside the protected folder.

Test the protected application:

node protected/lib/app.js

Known Problems

Application breaks with Self-Defending

Problem

The Node.js runtime environment re-implements some native javascript functions (f.e setInterval or setTimeout) which triggers the anti-poisoning defenses of Self Defending. As a result, your application will break.

Solution

You should activate the tolerateBenignPoisoning option on Self Defending to prevent "benign actions" from breaking your application.

{
  "name": "selfDefending",
  "options": {
    "threshold": 10240,
    "options": [
      "tolerateBenignPoisoning"
    ],
    "countermeasures": {}
  }
}