Pipeline/Workflow to Hide, Optimize, secure, compress Javascript code

While I was researching into using Html5, etc. I’ve noticed that the user can see the javascript code from within the browser. I’m also assuming they can access/see the game assets.

What is the pipeline/workflow you web/Game developer used to hide, secure, and protect your javascript code and game assets?

Do you:

  1. Don’t bother.
  2. Leave the security and protection to the server end.
  3. Obfuscate javascript code, compressed game assets.

I can find information on developing using javascript. But, very little info on javascript security.


Assets can’t be protected, they have to be in memory at some point.
If you don’t want an easy rip you can modify the bytes, maybe something like a xor cypher but that’s easily bypassed if you know what you’re doing.

Code obfuscation is limited, but tools minify tools helps a little against people stealing your code. But again if someone is motivated enough they can get around that.
And this is not a js only issue, language like java/c# are easy to disassemble, and even c/c++ on some level.

If you do multiplayer games then the only security is with a fully authoritative server and having the clients basically just forward inputs and draw the game.

Thanks ibilon for your reply.

I walways wonder want other game developers do.

Thanks again

I always use uglifyjs to minify the project. This makes it less readable but more important delivers the smallest size.

I also use texture atlasses, which also delivers smaller size and better rendering. This is not obfuscation/packing but at least makes it tiny more complicated to extract assets.But I don’t bother much about assets being ripped.

For game development with backend/frontend communication, depending on the project we often use json web tokens https://jwt.io/ According the website

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.