// Blog

How to Obfuscate Node.js Code Before Deployment

📅 March 15, 2025 ⏱ ~6 min read 🏷️ JavaScript Security
← Back to Blog

Why Obfuscate Node.js Code?

Node.js runs server-side, so you might wonder why you'd need to obfuscate it — users can't open DevTools and read your server code. But there are several common scenarios where Node.js obfuscation makes sense: distributing CLI tools, shipping Electron apps, deploying to client servers, or distributing npm packages where you want to protect your implementation.

When Node.js Obfuscation Is Most Valuable

  • Electron desktop apps — Your entire Node.js backend ships with the app as readable source files
  • CLI tools distributed as source — Node tools installed via npm ship as JavaScript
  • Software deployed to client infrastructure — When a client runs your code on their own servers, they have file system access
  • License-protected Node modules — npm packages with paid tiers where you don't want the logic copied

Method 1: javascript-obfuscator CLI

The simplest approach for Node.js files:

npm install -g javascript-obfuscator

# Obfuscate a single file
javascript-obfuscator src/app.js --output dist/app.js --compact true --string-array true

# Obfuscate an entire directory
javascript-obfuscator src/ --output dist/ --compact true --self-defending true

Method 2: Programmatic API in Build Script

const JavaScriptObfuscator = require('javascript-obfuscator');
const fs = require('fs');
const path = require('path');
const glob = require('glob');

const files = glob.sync('src/**/*.js');

files.forEach(file => {
  const code = fs.readFileSync(file, 'utf8');
  const result = JavaScriptObfuscator.obfuscate(code, {
    compact: true,
    stringArray: true,
    stringArrayEncoding: ['base64'],
    rotateStringArray: true,
    selfDefending: false,  // Not needed server-side
    debugProtection: false // Not needed server-side
  });
  
  const outPath = file.replace('src/', 'dist/');
  fs.mkdirSync(path.dirname(outPath), { recursive: true });
  fs.writeFileSync(outPath, result.getObfuscatedCode());
});

console.log('Obfuscation complete.');

Electron App Considerations

Electron apps are particularly important to obfuscate because users can easily navigate to the app's resources directory and read all your JavaScript. For Electron, obfuscate both the main process code and the renderer process code.

Additionally, consider using asar packaging (Electron's archive format) to package your app files — while not truly secure, it adds another layer of friction before someone can access your source files.

What to Skip

Don't obfuscate: node_modules (third-party code), configuration files (JSON, YAML), test files, and build scripts. Focus obfuscation on your application's core logic.

Node.js-Specific Options

When obfuscating Node.js code, you can skip debug protection and self-defending mode (these target browser DevTools and browser execution respectively). Focus on compact mode, string encryption, and variable renaming — these are the most valuable for Node.js protection with the least overhead.

Quick one-off: For a single Node.js file, paste it into our browser obfuscator — it works just as well for server-side JS as it does for browser code.