Vue project configures webpack-obfuscator to implement code encryption and obfuscation

background The company code is provided to third parties for use. In order to prevent the source code from being completely leaked, the given code needs to be encrypted and obfuscated. Although the front-end code cannot be completely encrypted and obfuscated, the build code can be completely obfuscated by using `webpack-obfuscator` by adding random junk code segments, character encoding escapes, etc., so that the source code cannot be restored or even read. Install `webpack-obfuscator` https://www.npmjs.com/package/webpack-obfuscator npm install --save-dev webpack-obfuscator Configuration // webpack.config.js const JavaScriptObfuscator = require('webpack-obfuscator'); module.exports = { entry: { 'abc': './test/input/index.js', 'cde': './test/input/index1.js' }, output: { path: 'dist', filename: '[name].js' }, plugins: [ new JavaScriptObfuscator({ rotateUnicodeArray: true // The array contains files that need to be excluded}, ['abc.js']) ] }; `vue cli` project configuration: // vue.config.js const path = require('path'); var JavaScriptObfuscator = require('webpack-obfuscator'); module.exports = { publicPath: process.env.NODE_ENV === 'production' ? './' : '/', productionSourceMap: false, configureWebpack: { plugins: [ new JavaScriptObfuscator({ rotateStringArray: true, }, []) ] }, pwa: {}, pages: {} } If you only want to encrypt and obfuscate during packaging, but not obfuscate when running locally, you can configure it as follows: configureWebpack: (process.env.NODE_ENV === 'production') ? { plugins: [ new JavaScriptObfuscator({ // ... }, []) ] } : {}, `vue cli 2.x` configuration in `webpack.prod.conf.js` Build npm run build Build file comparison 1. Original Document //test.js function abc() { for (let i = 0; i < 10; i++) { console.log(`${i}th, hello, hello`) } } abc() 2. `webpack` default tool `uglifyjs-webpack-plugin` webpackJsonp([2],{lVK7:function(o,l){!function(){for(var o=0;o<10;o++)console.log("The "+o+"th, hello, hello")}()}},["lVK7"]); 3. When `webpack-obfuscator` has no parameters new JavaScriptObfuscator({ }, []) var _0x1f6e=["个,你好,hello","lVK7","log"];!function(n,o){!function(o){for(;--o;)n.push(n.shift())}(++o)}(_0x1f6e,323);var _0x3655=function(n,o){return _0x1f6e[n-=0]};webpackJsonp([2],{lVK7:function(n,o){!function(){for(var n=0;n<10;n++)console[_0x3655("0x0")]("第"+n+_0x3655("0x1"))}()}},[_0x3655("0x2")]); 4. `webpack-obfuscator` is highly obfuscated Low performance: performance is `50-100%` slower than without blurring new JavaScriptObfuscator({ // Compress code compact: true, // Whether to enable control flow flattening (reduce running speed by 1.5 times) controlFlowFlattening: true, // Application probability; In larger code bases, it is recommended to lower this value, as a large number of control flow transitions may increase the size of the code and reduce the speed of the code. controlFlowFlatteningThreshold: 1, // Random dead code blocks (increases the size of the obfuscated code) deadCodeInjection: true, //Dead code block impact probability deadCodeInjectionThreshold: 1, // This option makes it almost impossible to use the console tab of the developer tools debugProtection: true, // If checked, will force debugging mode with intervals on the Console tab, making it more difficult to use other features of the Developer Tools. debugProtectionInterval: true, // Disable console.log, console.info, console.error and console.warn by replacing them with empty functions. This makes using the debugger more difficult. disableConsoleOutput: true, // Obfuscation method of identifier hexadecimal (hexadecimal) mangled (short identifier) identifierNamesGenerator: 'hexadecimal', log: false, // Whether to enable confusion of global variables and function names renameGlobals: false, // Move the array through fixed and random (generated when the code is obfuscated) positions. This makes it more difficult to match the order of the deleted strings with their original positions. This option is recommended if the original source code is not small, as the helper functions can draw attention. rotateStringArray: true, // After the code is obfuscated, you cannot use code beautification, and you need to configure cpmpat:true; selfDefending: true, // Remove string literals and put them in a special array stringArray: true, stringArrayEncoding: 'rc4', stringArrayThreshold: 1, // Allows to enable/disable string conversion to unicode escape sequences. Unicode escape sequences significantly increase code size and make it easy to restore a string to its original view. It is recommended to enable this option only for small source codes. transformObjectKeys: true, unicodeEscapeSequence: false }, []), Built file size: `29,999 字節(29.2 KB)` var _0xa0d1=["w7Bzw6oKw6E=","wrwIUcOVw4M=","w4bChi3DtcOQ","wpLDtsK5w4LDpA==","OUlQwp1z","woEqw4XCtsOe","YR3DrkDCiA==","woAjwq/Ci8KQ","dDNzw5bDgA==", // ... ("0x201","xatR")]=function(x){return x()},x[_0x34e6("0x202","vdcx")](_0x2c01f8)},4e3); 3. `webpack-obfuscator` medium obfuscation Best performance: performance is `30-35%` slower than without blurring new JavaScriptObfuscator({ // Compress code compact: true, // Whether to enable control flow flattening (reduce running speed by 1.5 times) controlFlowFlattening: true, // Application probability; In larger code bases, it is recommended to lower this value, as a large number of control flow transitions may increase the size of the code and reduce the speed of the code. controlFlowFlatteningThreshold: 0.75, // Random dead code blocks (increases the size of the obfuscated code) deadCodeInjection: true, //Dead code block impact probability deadCodeInjectionThreshold: 0.4, // This option makes it almost impossible to use the console tab of the developer tools debugProtection: false, // If checked, will force debugging mode with intervals on the Console tab, making it more difficult to use other features of the Developer Tools. debugProtectionInterval: false, // Disable console.log, console.info, console.error and console.warn by replacing them with empty functions. This makes using the debugger more difficult. disableConsoleOutput: true, // Obfuscation method of identifier hexadecimal (hexadecimal) mangled (short identifier) identifierNamesGenerator: 'hexadecimal', log: false, // Whether to enable confusion of global variables and function names renameGlobals: false, // Move the array through fixed and random (generated when the code is obfuscated) positions. This makes it more difficult to match the order of the deleted strings with their original positions. This option is recommended if the original source code is not small, as the helper functions can draw attention. rotateStringArray: true, // After the code is obfuscated, you cannot use code beautification, and you need to configure cpmpat:true; selfDefending: true, // Remove string literals and put them in a special array stringArray: true, stringArrayEncoding: 'base64', stringArrayThreshold: 0.75, transformObjectKeys: true, // Allows to enable/disable string conversion to unicode escape sequences. Unicode escape sequences significantly increase code size and make it easy to restore a string to its original view. It is recommended to enable this option only for small source codes. unicodeEscapeSequence: false }, []), Built file size: `7066字節(6.90kb)` var _0x1a25=["UmFzT1U=","RkVIc0o=","VUt2eW4=","Q29IS0g=","V1NSZ0k=","d3RNT2w=","dlV6cUw=","RlpzZWg=","QnpzSlE=","cXBqQ1k=","YXBwbHk=","bFZLNw==","Y3p1Ymo=","TFZlQXE=","Y2NKWlY=","cmV0dXJuIChmdW5jdGlvbigpIA==", // ... (b[_0x4bcb("0x2a")]("第"+c,b[_0x4bcb("0x2b")]))}})}},[_0x4bcb("0x2f")]); 4. `webpack-obfuscator` low obfuscation High performance: performance is slightly slower than without obfuscation new JavaScriptObfuscator({ // Compress code compact: true, // Whether to enable control flow flattening (reduce running speed by 1.5 times) controlFlowFlattening: false, // Random dead code blocks (increases the size of the obfuscated code) deadCodeInjection: false, // This option makes it almost impossible to use the console tab of the developer tools debugProtection: false, // If checked, will force debugging mode with intervals on the Console tab, making it more difficult to use other features of the Developer Tools. debugProtectionInterval: false, // Disable console.log, console.info, console.error and console.warn by replacing them with empty functions. This makes using the debugger more difficult. disableConsoleOutput: true, // Obfuscation method of identifier hexadecimal (hexadecimal) mangled (short identifier) identifierNamesGenerator: 'hexadecimal', log: false, // Whether to enable confusion of global variables and function names renameGlobals: false, // Move the array through fixed and random (generated when the code is obfuscated) positions. This makes it more difficult to match the order of the deleted strings with their original positions. This option is recommended if the original source code is not small, as the helper functions can draw attention. rotateStringArray: true, // After the code is obfuscated, you cannot use code beautification, and you need to configure cpmpat:true; selfDefending: true, // Remove string literals and put them in a special array stringArray: true, stringArrayEncoding: false, stringArrayThreshold: 0.75, // Allows to enable/disable string conversion to unicode escape sequences. Unicode escape sequences significantly increase code size and make it easy to restore a string to its original view. It is recommended to enable this option only for small source codes. unicodeEscapeSequence: false }, []), Built file size: `2,424 字節(2.36 KB)` var _0x37a6=["exception","trace","console","个,你好,hello","lVK7","apply","return (function() ",'{}.constructor("return this")() ',"log","warn","debug","info","error"];!function(n,e){var o=function(e){for(;--e;)n.push(n.shift())}; // ... [_0xe1fd("0x3")]("第"+n+_0xe1fd("0xb"))}()}},[_0xe1fd("0xc")]); Comparison table

background

The company code is provided to third parties for use. In order to prevent the source code from being completely leaked, the given code needs to be encrypted and obfuscated. Although the front-end code cannot be completely encrypted and obfuscated, the build code can be completely obfuscated by using webpack-obfuscator by adding random junk code segments, character encoding escapes, etc., so that the source code cannot be restored or even read.

Install

webpack-obfuscator https://www.npmjs.com/package/webpack-obfuscator

npm install --save-dev webpack-obfuscator

Configuration

// webpack.config.js
const JavaScriptObfuscator = require('webpack-obfuscator');
module.exports = {
 entry: {
 'abc': './test/input/index.js',
 'cde': './test/input/index1.js'
 },
 output: {
 path: 'dist',
 filename: '[name].js'
 },
 plugins: [
 new JavaScriptObfuscator({
 rotateUnicodeArray: true
 // The array contains files that need to be excluded}, ['abc.js'])
 ]
};

vue cli project configuration:

// vue.config.js
const path = require('path');
var JavaScriptObfuscator = require('webpack-obfuscator');
module.exports = {
 publicPath: process.env.NODE_ENV === 'production' ? './' : '/',
 productionSourceMap: false,
 configureWebpack: {
 plugins: [
 new JavaScriptObfuscator({
 rotateStringArray: true,
 }, [])
 ]
 },
 pwa: {},
 pages: {}
}

If you only want to encrypt and obfuscate during packaging, but not obfuscate when running locally, you can configure it as follows:

configureWebpack: (process.env.NODE_ENV === 'production') ? {
 plugins: [
 new JavaScriptObfuscator({
 // ...
 }, [])
 ]
 } : {},

vue cli 2.x configuration in webpack.prod.conf.js

Build

npm run build

Build file comparison

1. Original Document

//test.js
function abc() {
 for (let i = 0; i < 10; i++) {
 console.log(`${i}th, hello, hello`)
 }
}
abc()

2. webpack default tool uglifyjs-webpack-plugin

webpackJsonp([2],{lVK7:function(o,l){!function(){for(var o=0;o<10;o++)console.log("The "+o+"th, hello, hello")}()}},["lVK7"]);

3. When webpack-obfuscator has no parameters

new JavaScriptObfuscator({
}, [])

var _0x1f6e=["个,你好,hello","lVK7","log"];!function(n,o){!function(o){for(;--o;)n.push(n.shift())}(++o)}(_0x1f6e,323);var _0x3655=function(n,o){return _0x1f6e[n-=0]};webpackJsonp([2],{lVK7:function(n,o){!function(){for(var n=0;n<10;n++)console[_0x3655("0x0")]("第"+n+_0x3655("0x1"))}()}},[_0x3655("0x2")]);

4. webpack-obfuscator is highly obfuscated

Low performance: performance is 50-100% slower than without blurring

new JavaScriptObfuscator({
 // Compress code compact: true,
 // Whether to enable control flow flattening (reduce running speed by 1.5 times)
 controlFlowFlattening: true,
 // Application probability; In larger code bases, it is recommended to lower this value, as a large number of control flow transitions may increase the size of the code and reduce the speed of the code.
 controlFlowFlatteningThreshold: 1,
 // Random dead code blocks (increases the size of the obfuscated code)
 deadCodeInjection: true,
 //Dead code block impact probability deadCodeInjectionThreshold: 1,
 // This option makes it almost impossible to use the console tab of the developer tools debugProtection: true,
 // If checked, will force debugging mode with intervals on the Console tab, making it more difficult to use other features of the Developer Tools.
 debugProtectionInterval: true,
 // Disable console.log, console.info, console.error and console.warn by replacing them with empty functions. This makes using the debugger more difficult.
 disableConsoleOutput: true,
 // Obfuscation method of identifier hexadecimal (hexadecimal) mangled (short identifier)
 identifierNamesGenerator: 'hexadecimal',
 log: false,
 // Whether to enable confusion of global variables and function names renameGlobals: false,
 // Move the array through fixed and random (generated when the code is obfuscated) positions. This makes it more difficult to match the order of the deleted strings with their original positions. This option is recommended if the original source code is not small, as the helper functions can draw attention.
 rotateStringArray: true,
 // After the code is obfuscated, you cannot use code beautification, and you need to configure cpmpat:true;
 selfDefending: true,
 // Remove string literals and put them in a special array stringArray: true,
 stringArrayEncoding: 'rc4',
 stringArrayThreshold: 1,
 // Allows to enable/disable string conversion to unicode escape sequences. Unicode escape sequences significantly increase code size and make it easy to restore a string to its original view. It is recommended to enable this option only for small source codes.
 transformObjectKeys: true,
 unicodeEscapeSequence: false
}, []),

Built file size: 29,999 字節(29.2 KB)

var _0xa0d1=["w7Bzw6oKw6E=","wrwIUcOVw4M=","w4bChi3DtcOQ","wpLDtsK5w4LDpA==","OUlQwp1z","woEqw4XCtsOe","YR3DrkDCiA==","woAjwq/Ci8KQ","dDNzw5bDgA==",
// ...
("0x201","xatR")]=function(x){return x()},x[_0x34e6("0x202","vdcx")](_0x2c01f8)},4e3);

3. webpack-obfuscator medium obfuscation

Best performance: performance is 30-35% slower than without blurring

new JavaScriptObfuscator({
 // Compress code compact: true,
 // Whether to enable control flow flattening (reduce running speed by 1.5 times)
 controlFlowFlattening: true,
 // Application probability; In larger code bases, it is recommended to lower this value, as a large number of control flow transitions may increase the size of the code and reduce the speed of the code.
 controlFlowFlatteningThreshold: 0.75,
 // Random dead code blocks (increases the size of the obfuscated code)
 deadCodeInjection: true,
 //Dead code block impact probability deadCodeInjectionThreshold: 0.4,
 // This option makes it almost impossible to use the console tab of the developer tools debugProtection: false,
 // If checked, will force debugging mode with intervals on the Console tab, making it more difficult to use other features of the Developer Tools.
 debugProtectionInterval: false,
 // Disable console.log, console.info, console.error and console.warn by replacing them with empty functions. This makes using the debugger more difficult.
 disableConsoleOutput: true,
 // Obfuscation method of identifier hexadecimal (hexadecimal) mangled (short identifier)
 identifierNamesGenerator: 'hexadecimal',
 log: false,
 // Whether to enable confusion of global variables and function names renameGlobals: false,
 // Move the array through fixed and random (generated when the code is obfuscated) positions. This makes it more difficult to match the order of the deleted strings with their original positions. This option is recommended if the original source code is not small, as the helper functions can draw attention.
 rotateStringArray: true,
 // After the code is obfuscated, you cannot use code beautification, and you need to configure cpmpat:true;
 selfDefending: true,
 // Remove string literals and put them in a special array stringArray: true,
 stringArrayEncoding: 'base64',
 stringArrayThreshold: 0.75,
 transformObjectKeys: true,
 // Allows to enable/disable string conversion to unicode escape sequences. Unicode escape sequences significantly increase code size and make it easy to restore a string to its original view. It is recommended to enable this option only for small source codes.
 unicodeEscapeSequence: false
}, []),

Built file size: 7066字節(6.90kb)

var _0x1a25=["UmFzT1U=","RkVIc0o=","VUt2eW4=","Q29IS0g=","V1NSZ0k=","d3RNT2w=","dlV6cUw=","RlpzZWg=","QnpzSlE=","cXBqQ1k=","YXBwbHk=","bFZLNw==","Y3p1Ymo=","TFZlQXE=","Y2NKWlY=","cmV0dXJuIChmdW5jdGlvbigpIA==",
// ...
(b[_0x4bcb("0x2a")]("第"+c,b[_0x4bcb("0x2b")]))}})}},[_0x4bcb("0x2f")]);

4. webpack-obfuscator low obfuscation

High performance: performance is slightly slower than without obfuscation

new JavaScriptObfuscator({
 // Compress code compact: true,
 // Whether to enable control flow flattening (reduce running speed by 1.5 times)
 controlFlowFlattening: false,
 // Random dead code blocks (increases the size of the obfuscated code)
 deadCodeInjection: false,
 // This option makes it almost impossible to use the console tab of the developer tools debugProtection: false,
 // If checked, will force debugging mode with intervals on the Console tab, making it more difficult to use other features of the Developer Tools.
 debugProtectionInterval: false,
 // Disable console.log, console.info, console.error and console.warn by replacing them with empty functions. This makes using the debugger more difficult.
 disableConsoleOutput: true,
 // Obfuscation method of identifier hexadecimal (hexadecimal) mangled (short identifier)
 identifierNamesGenerator: 'hexadecimal',
 log: false,
 // Whether to enable confusion of global variables and function names renameGlobals: false,
 // Move the array through fixed and random (generated when the code is obfuscated) positions. This makes it more difficult to match the order of the deleted strings with their original positions. This option is recommended if the original source code is not small, as the helper functions can draw attention.
 rotateStringArray: true,
 // After the code is obfuscated, you cannot use code beautification, and you need to configure cpmpat:true;
 selfDefending: true,
 // Remove string literals and put them in a special array stringArray: true,
 stringArrayEncoding: false,
 stringArrayThreshold: 0.75,
 // Allows to enable/disable string conversion to unicode escape sequences. Unicode escape sequences significantly increase code size and make it easy to restore a string to its original view. It is recommended to enable this option only for small source codes.
 unicodeEscapeSequence: false
}, []),

Built file size: 2,424 字節(2.36 KB)

var _0x37a6=["exception","trace","console","个,你好,hello","lVK7","apply","return (function() ",'{}.constructor("return this")() ',"log","warn","debug","info","error"];!function(n,e){var o=function(e){for(;--e;)n.push(n.shift())};
// ...
[_0xe1fd("0x3")]("第"+n+_0xe1fd("0xb"))}()}},[_0xe1fd("0xc")]);

Comparison table

File name	File size	Normal build	No parameters	Highly obfuscated	Moderate confusion	Low obfuscation
test.js	117 bytes	177 bytes	363 bytes	29.2 KB (29,999 bytes)	6.90KB (7066 bytes)	2.36 KB (2,424 bytes)
jquery.js	111 KB (113,852 bytes)	85.0 KB (87,064 bytes)	115 KB (117,770 bytes)	1.24 MB (1,304,998 bytes)	401 KB (411,543 bytes)	117 KB (120,243 bytes)

Main Attributes

{
// Compression, no line break compact: true,
// Whether to enable control flow flattening (reduce running speed by 1.5 times)
controlFlowFlattening: false,
// Application probability; In larger code bases, it is recommended to lower this value, as a large number of control flow transitions may increase the size of the code and reduce the speed of the code.
controlFlowFlatteningThreshold: 0.75,
// Random dead code blocks (increases the size of the obfuscated code)
deadCodeInjection: false,
//Dead code block impact probability deadCodeInjectionThreshold: 0.4,
// This option makes it almost impossible to use the console tab of the developer tools debugProtection: false,
// If checked, will force debugging mode with intervals on the Console tab, making it more difficult to use other features of the Developer Tools.
debugProtectionInterval: false,
// Disable console.log, console.info, console.error and console.warn by replacing them with empty functions. This makes using the debugger more difficult.
disableConsoleOutput: false,
// Lock down obfuscated source code to only run on specific domains and/or subdomains. This makes it very difficult for someone to just copy and paste your source code and run it somewhere else.
domainLock: [],
//Obfuscation method of identifier hexadecimal (hexadecimal) mangled (short identifier)
identifierNamesGenerator: 'hexadecimal',
//Add a specific prefix to the global identifier. Use this option when obfuscating multiple files loaded on the same page. This option helps avoid conflicts between global identifiers for these files. Use a different prefix for each file identifiersPrefix: '',
inputFileName: '',
// Enable logging to the console.
log: false,
// Whether to enable confusion of global variables and function names renameGlobals: false,
// Disable obfuscation and generated identifiers reservedNames: [],
// Disable conversion of string literals reservedStrings: [],
// Move the array through fixed and random (generated when the code is obfuscated) positions. This makes it more difficult to match the order of the deleted strings with their original positions. This option is recommended if the original source code is not small, as the helper functions can draw attention.
rotateStringArray: true,
// After the code is obfuscated, you cannot use code beautification, and you need to configure cpmpat:true;
seed: 0,
selfDefending: false,
sourceMap: false,
sourceMapBaseUrl: '',
sourceMapFileName: '',
sourceMapMode: 'separate',
// Remove string literals and put them in a special array stringArray: true,
// Encode all string literals in stringArray using base64 or rc4 and insert them into a special code which decodes back at runtime. true (boolean): stringArray uses base64 encoding value; false (boolean): do not encode stringArray value; 'base64' (string): stringArray uses base64 encoding value; 'rc4' (string): stringArray uses rc4 encoding value. About 30-50% slower than base64, but harder to get the initial value. It is recommended to disable unicodeEscapeSequence option with rc4 encoding to prevent very large obfuscated codes.
stringArrayEncoding: false,
// Adjust the probability that a string literal will be inserted into stringArray stringArrayThreshold: 0.75,
// You can set the target environment for obfuscated code to one of the following: Browser; Browser No Eval; Node
target: 'browser',
// Whether to enable obfuscation of object keys transformObjectKeys: false,
// Allows to enable/disable string conversion to unicode escape sequences. Unicode escape sequences significantly increase code size and make it easy to restore a string to its original view. It is recommended to enable this option only for small source codes.
unicodeEscapeSequence: false
}

Notice

When installing webpack-obfuscator , pay attention to the version of webpack-obfuscator to match the local project webpack version. I use [email protected] and the project webpack is version 4.x ( 4.x版webpack will report an error and cannot be used using the latest version [email protected] , and webpack has not been upgraded to version 5.x ).
excludes數組is compatible with multimatch包語法, for example, it supports ['js/chunk-vendors.**.js'] , ['excluded_bundle_name.js', '**_bundle_name.js'] or 'excluded_bundle_name.js' , etc.

Article address: https://www.cnblogs.com/dragonir/p/14445767.html Author: dragonir

Vue project configures webpack-obfuscator to implement code encryption and obfuscation

background

Install

Build

Build file comparison

How to uninstall Linux's native openjdk and install sun jdk

What are the ways to import CSS? What is the difference between link and @import? How to choose

Create a custom system tray indicator for your tasks on Linux

Solution to mysql login warning problem

Detailed explanation of data type issues in JS array index detection

Example of how to configure nginx to implement SSL

Pure CSS to achieve left and right drag to change the layout size

Brief Analysis of MySQL B-Tree Index

This article teaches you how to import CSS like JS modules

Specific use of Linux which command

Recommend

Hadoop 2.x vs 3.x 22-point comparison, Hadoop 3.x improvements over 2.x

Summary of DTD usage in HTML

Mybatis implements SQL query interception and modification details

CentOS7 enables MySQL8 master-slave backup and daily scheduled full backup (recommended)

How to use Javascript to generate smooth curves

Pure HTML and CSS to achieve JD carousel effect

Using Nginx to implement grayscale release

Detailed explanation of using Nginx reverse proxy to solve cross-domain problems

Navicat Premium operates MySQL database (executes sql statements)

A quick review of CSS3 pseudo-class selectors

MySQL uses the truncate command to quickly clear all tables in a database

JavaScript implementation of classic snake game

Vant+postcss-pxtorem implements browser adaptation function

Detailed explanation of mysql deadlock checking and deadlock removal examples

Ubuntu 15.04 opens mysql remote port 3306