Công Nghệ

JavaScript Security: Hide your Code?

Should you hide your frontend JavaScript code? CAN you hide your browser JavaScript code?
Join the full JavaScript course:
Exclusive discount also available for our Node.js course:

Check out all our other courses:


• Go to and subscribe to our newsletter to stay updated and to get exclusive content & discounts
• Follow @maxedapps and @academind_real on Twitter
• Join our Facebook community on

See you in the videos!


Academind is your source for online education in the areas of web development, frontend web development, backend web development, programming, coding and data science! No matter if you are looking for a tutorial, a course, a crash course, an introduction, an online tutorial or any related video, we try our best to offer you the content you are looking for. Our topics include Angular, React, Vue, Html, CSS, JavaScript, TypeScript, Redux, Nuxt.js, RxJs, Bootstrap, Laravel, Node.js, Progressive Web Apps (PWA), Ionic, React Native, Regular Expressions (RegEx), Stencil, Power BI, Amazon Web Services (AWS), Firebase or other topics, make sure to have a look at this channel or at academind.com to find the learning resource of your choice!

Nguồn: https://exclusivejoint.com/

Xem thêm bài viết khác: https://exclusivejoint.com/cong-nghe/

Công Nghệ
Đăng ký gói 4G, 5G Nào Sinh viên, Học sinh để dùng thoải mái ?| Vinaphonevn.com
Công Nghệ
Gói Sim 4G + nghe gọi NGON NHẤT THỜI ĐIỂM NÀY, xài Tết xả láng đi
Công Nghệ
Review SIM 4G Viettel ST90 Nạp 90K Tặng 62GB/Tháng – Gói Cước SIÊU TỐC
  • Title should have been " Should you hide your API key"

  • Obfuscation does not make anything more secure.

  • Conclusion: Confidential data needs to be not sent to the browser, like using php.
    Non-confidential data like data meant for a user can be sent to the user, and can be processed using js.

  • You cannot hide it at all. It runs on the client and it cannot be compiled to machine code. However, you could minify it – that's basically obfuscating it by shortening variable names, removing whitespace, etc. While it's usually used to save bandwidth it also makes the code less readable.

  • 5:37, so lets say somebody copies the api key and creates a fake, phising website and creates a form, if i logged in in the fake.com website, will the fake.com website be able to steal data?

  • I'm also using firebase and placing the api key in frontend code also makes me worried. What if we store the api key in the backend and we just request that. But before sending it to client, we encrypt it first and decrypt it once we receive it and store it to our secured local state. It is still possible to read the logic and decrypt the api key but it should be hard to that. However, people can still extract the api key by looking at the network requests. It is included in the api url, header, body etc.

  • I am experiencing exact same problem, my API key is being exposed in the web console. From UI, my request passes through AWS Gateway, that requires API key for my request to pass through to server. What could be the better way to hide my API key (in Angular)from client.? Thank you

  • Want to learn making html page dynamic using Javascript, Visit https://www.youtube.com/watch?v=RaF3ZlMuU0g

  • Great stuff…

  • sir I want to hide html comment "<!– –>/" from source in my website. please help me.

  • Obfuscation is immoral and unethical

  • its not just api key or whatever . what about changing the code? if you make a front page game and you dont wanna put the code in the server what if the client change the rules of the game? for example change the time clock. if you have thousands of users playing simultaneously you dont wanna calculate the time and every movements and the rules in your server

  • exactly what i need to know .. thank you!!

  • Good tutorial! Always good to first leverage proper security protocols in building secure JS apps. But if you need to leverage more business logic client side and want to protect that code, IP and data check out www.jscrambler.com

  • Never trust client. Verify in backend

  • What ???? No one heard about jquery VM, CDN, Obfuscatation, same as PHP CodeIgniter … This is an old problem that long ago has been solved

  • So as HTML5 Game Developers where content is 100% in the client, we're essentially screwed?🤔

  • what about in react native? can I hide code there?

  • if you want to store this client-side why would you not just set the keys as an environment variable so they accessible to the dev but they are not rendered to the DOM for client-side viewing? Can someone help me understand where my logic is wrong here so that I can improve this in the future? -Thank you

  • this video has everything to do with the title. i got an answer to something that was bothering a lot on watching this the 3rd time. i dont know why i didn't get it before. i think people who are into spa will find that the title of the video goes well with the content (since i noticed some comments about title and content )

  • Thats some very valuable information. Thanks. Appreciate the detailed explanation. Keep it up

  • I feel like if I were to ask this guy what time it is, he'd tell how the watch was made. Please get to the point…

  • luv u

  • Why even have an api token? Just autoroize the domain

  • So essentially run a server-side app and use environmental variables. Then create an api for your js frontend to interface with. You can configure your own permissions on the user by coding them yourself since its your api. Mern stack + typescript it is.

  • Slow

  • PitPit

    Author Reply

    "Harder"? what? You need to press {} pretty code button on chrome only.

  • whats the name of your code editor bro???

  • Here's my tip:
    a) search for a web site that ulgify js code.
    b) back up all your js files

    c) ulgify all your js files
    d) deploy the uglified version of your files, .gitignore your jsFilesBackup
    Be happy.

  • You almost answered my exact question! I have a Vue front end, with a Django backend (all running off the same host & port (proxied), using sessions). As it stands, a user can get full access to the front-end of the system by faking a login on the client-side, i.e. flipping a 'loggedIn' boolean. They will not get any data, but they will see the full UI, and I don't think I want this. How can that be prevented?

  • Really Helpful Max.

  • Make all wortg while code on server-side.

  • Answer is no

  • Using sever side frameworks like Web Firm Framework is more secure.

  • Buddy change your Video Tittle

  • please direct to the point

  • How about config variables?

  • Didnt find the way to hide js logic.

  • Where did you exactly hide your code???

  • C DC D

    Author Reply

    The truth is that javascript is an absolute fucking abomination. Tottaly unsecure

  • Bo NeBo Ne

    Author Reply

    This video is somewhat misleading

  • MioMio

    Author Reply

    The title is misleading

  • If JavaScript was hidden or even encrypted at client browsers, there would be hardly any websites today. If you wanna hide stuff, hide it in your backend service layer where you can put your business logic. If you're a frontend developer and frustrated, then you can't do anything about it. Just let it go or work with your backend teammate on a solution. If you're a fullstack developer or freelancer or hobbyist, it's all in your hands. You're the commander of what to show and what not to show.

  • Can’t hide it but you can make it almost unreadable

  • Which IDE you are using? is it Visual Studio?

  • Nope.

    That’s why google push JavaScript so hard.

    Steal all your idea.

  • Title is not match exactly what you want to convey… It is fully related cloud api restriction not JavaScript code.

  • White listing isn't available for most APIs. The best solution is to invoke the API from the server side.

  • The video content has nothing to do with the title

  • AdamAdam

    Author Reply

    In Angular => put firebase credentials inside environment.ts file.. then init you FirebaseModule inside app.module.ts