Can JavaScript Obfuscator protect JavaScript embedded in HTML, PHP, ASP, ASPX, or JSP files?

Yes. The desktop app protects JavaScript embedded in mixed files including HTML, PHP, ASP, ASPX, and JSP.

Anti-LLM Maximum mode in every paid tier — per-build polymorphic decoding from $29/mo · Compare plans

Try the online obfuscator Free preview · no signup · in your browser

JavaScript Protection For Release Teams · Since 2004

Protect shipped JavaScript without slowing down the release flow around it.

Q: Is the original source recoverable from the obfuscated output?

No. Once the symbols and comments are transformed, the original source cannot be recovered from the obfuscated output - not by hand, not by automated deobfuscators, not by LLM-based tools.

Q: Is anti-LLM Maximum mode included in the lower-priced plans?

Yes. Maximum-mode anti-LLM protection is available in every paid tier starting at $29/month, not gated behind an enterprise upgrade.

Start with a browser preview, move into the desktop app when source must stay local, or wire the hosted API into any pipeline. Nine first-class language clients, thirteen CI templates, two IDE plugins, eight error-reporter integrations, an ESLint plugin that catches credential leaks before commit, and a Slack/Discord beacon forwarder for runtime tamper alerts — whatever your build looks like, JSO drops into it. Maximum-mode polymorphic protection starts at $29/month.

Try It Free Online View Plans From $29/month Browse The Tooling Matrix › Build Integrations Hub › Every Transform Side-by-Side ›

9 language clients Node, Python, Go, .NET, Ruby, PHP, Rust, Java, Kotlin 13 CI templates GitHub, GitLab, Circle, Jenkins, Azure, Bitbucket, Drone, Buildkite, Woodpecker, Tekton, TeamCity, GoCD, Argo Hygiene + ops ESLint plugin catches API-key leaks; beacon forwarder posts tamper alerts to Slack/Discord Local-only path Desktop app keeps source on the workstation

Protect production code

Use stronger protection for shipped JavaScript, then move into desktop, API, or CLI workflows when the release process needs to scale.

Preview Try the browser tool before changing your build flow.

Local Switch to desktop when code cannot leave the workstation.

Ship Carry the same preset into repeatable release automation.

2004 First shipped. Continuous releases for 22 years. Heritage

$29 = 1 GB Entry tier with anti-LLM Maximum mode included. Pricing

Per-build Polymorphic decoder regenerated every release. Anti-LLM

4 paths Online, desktop GUI, hosted API, npm CLI. Workflow

Trusted by product teams worldwide Some of the names that have shipped JavaScript Obfuscator-protected code in production since 2004.

Find Your Fit

Pick your threat model. We'll point you at the right preset.

The right amount of protection depends on what an attacker actually wants from your code. Pick one and the recommendation appears below.

Tier 1

Anti-copying

A competitor scrapes my script and runs it on their own site. I want them to get a working file they can't easily modify or extend.

Standard preset →

Tier 2

Anti-IP-theft

Someone wants to understand my algorithm well enough to reimplement it. They have time, tools, and motivation. I want to make that effort uneconomical.

Maximum preset →

Tier 3

Anti-active-attacker

Someone wants to tamper with my running code — bypass a paywall, grant a feature, manipulate game state. Active attacker, real-time threat.

Maximum + monitoring →

Recommended: Standard preset. Variable renaming and string encoding stop the casual copy-and-paste copycat. The Free tier is enough — no credit card required. Upgrade only if your usage grows beyond 200 MB/month.

Open Standard Preset ›

Recommended: Maximum preset. Per-build polymorphic decoder, encrypted constant pool, flat-transformed control flow, self-defending wrapper. The threshold an attacker has to cross becomes uneconomical for most non-state actors. Available in every paid tier from $29/month.

Open Maximum Preset ›

Recommended: Maximum preset + a runtime monitoring suite. Maximum mode raises the cost of analysis; runtime monitoring catches tampering when it happens. Server-side authority on anything that grants access. Obfuscation is one layer in a layered defense, never the only one.

Open Maximum Preset › Runtime Defense Guide

Pricing

Published plans. Anti-LLM in every paid tier.

No sales call. No "contact us for pricing." Maximum-mode anti-LLM protection is included from the entry tier up — never gated to a higher plan.

Bytes per dollar at the entry tier

JavaScript Obfuscator

$29 → 1 GB / month

Comparable

$19 → 100 MB

10× the bytes per dollar. Anti-LLM Maximum mode included from $29.

Start free

Free

$0/month

Try the engine on real code with no credit card. Best for evaluation and single-file scripts.

Free forever

200 MB / month
Up to 20 files per request
Name mangling
String encoding
Browser-based tool only

Get Started Free

Individual builds

Basic

$29/month

Anti-LLM Maximum mode and the desktop / API workflow for solo developers running real releases.

Best for one-developer projects

1 GB / month · 5× Free
Up to 50 files per request
10 MB max file size
Anti-LLM Maximum mode
Domain & date locking
Desktop app + npm CLI access

Choose Basic

Corporate

$49/month

Cross-file controls and per-function VM bytecode protection for teams shipping multi-file bundles.

Best for production teams

3 GB / month · 3× Basic
Up to 1000 files per request
30 MB max file size
Replace globals + protect members
Dead-code insertion
VM bytecode protection (beta)

Choose Corporate

High-volume pipelines

Enterprise

$99/month

The deepest transforms and largest quotas for CI-driven release pipelines and mixed-file projects.

Best for large CI throughput

9 GB / month · 3× Corporate
Up to 3000 files per request
120 MB max file size
Flat transform + encrypted strings
Mixed-server file processing
Move-nested + best compression

Choose Enterprise

Compare all four plans in detail ›

Team Release Controls

Give engineering, release, and review teams the same protection workflow.

The public gap versus larger vendors is usually governance and repeatability, not just transforms. JavaScript Obfuscator is strongest when one reviewed profile moves from browser evaluation into desktop projects, npm scripts, and CI checks without everyone rebuilding settings by hand.

Shared protection profiles Keep one reviewed desktop project, JSON preset, or jso.config.json so every release uses the same approved transform set and exclusion rules.

Framework-safe rollout Compile with Vite, Webpack, Rollup, esbuild, React, Vue, Angular, or TypeScript first, then protect the emitted JavaScript as a dedicated release step.

Protected-build validation Run compatibility checks, exclusion reviews, smoke tests, and release manifests against the protected artifact instead of assuming source-only tests are enough.

What this closes A clearer path for team usage, framework integration, and debugging policy without inventing enterprise features the product does not yet claim.

Best fit today Teams that want stronger JavaScript protection with published pricing, local-only fallback, and repeatable release guidance before they need a heavier platform rollout.

Open Validation Guide Framework Integration Team Plan Details

The Question Every Procurement Reviewer Asks

What actually changes when the output shape is different on every release?

Short answer: no, for output that regenerates its decoder shape every build. Yes, for static obfuscators in their training data.

Every release changes the attack surface. Maximum mode regenerates the decoder shape, key path, and identifier prefix instead of shipping one static transform signature forever.

LLMs lose the shortcut they rely on. Pattern-matching works well against fixed obfuscators. It degrades when the next build is structurally different from the last one.

Runtime-decoded constants remove obvious clues. Strings, names, and readable branches stop acting like anchor points for reverse engineering and code explanation prompts.

Read the full answer › Compare Obfuscators

// What an LLM sees on a Maximum-mode build:
//   (function(){var _0xa3=_dec(0x4a); ... })();
//
// What it CAN'T tell you:
//   - what _dec(0x4a) decodes to
//   - which case the state machine runs first
//   - what the original variable names were
//   - what the strings are
//
// All of that lives behind the decoder,
// which only runs at runtime.

Procurement-Ready

Get answers without a sales call.

Source-handling, release validation, compliance vocabulary, and workflow-to-policy fit are all documented. Your security team can review without scheduling a discovery meeting first.

Review pack ready Workflow and trust docs Local-only path included

In-memory processing Submitted JavaScript is processed in server memory only, and the desktop workflow keeps source on the workstation throughout.

Compliance vocabulary mapped GDPR data minimisation, OWASP A04/A09, PCI DSS 4.0 client-side script integrity, HIPAA-adjacent code, and NIST SSDF concerns are addressed in one place.

Honest scope No SOC 2 or ISO 27001 claims today. We publish the handling details, support path, release-validation guidance, and local-only option we do have.

Open Security & Trust Source Handling Doc Release Workflow

Desktop App

Your source code never leaves your workstation.

For PHI-adjacent web apps, on-prem build pipelines, or any project where the JavaScript source code can't be uploaded to a third-party server — use the desktop GUI. Batch process entire projects, including JavaScript embedded in HTML, PHP, ASP, ASPX, and JSP. Generate a deterministic command line you can check into your release pipeline.

Mixed-file support for HTML, PHP, ASP, ASPX, and JSP Deterministic command line for release automation Local-only path for sensitive source code

Download Desktop › Take a Tour ›

Scope Whole projects and embedded JavaScript

Output Repeatable command line for CI handoff

Security Source stays on the local workstation

Four Ways To Start

Pick the entry point that fits how your team actually ships.

Use the online tool for quick evaluation, move to desktop when source must stay local, use jso-protector when your release already lives in npm and CI, or hand procurement and engineering the deeper docs when they need release-process details first.

Try the online obfuscator

Best when you want a fast before-and-after preview, a quick shareable test, or a lightweight way to compare presets.

Open the browser tool ›

Download the desktop app

Best for PHI-adjacent code, on-prem build systems, and mixed-file projects that need local-only processing.

Get the desktop installer ›

Use the npm CLI

Best when your team ships with package scripts, build pipelines, or CI and wants hosted protection as a repeatable release step.

Open the jso-protector guide ›

Review trust and workflow docs

Best when security reviewers, release managers, or procurement teams want handling details before testing the product directly.

Open security and workflow docs ›

From the engineering team

All articles

Vendor Comparison ~10 min read

JavaScript VM protection compared — Jscrambler, JSDefender, Verimatrix, OSS virtualizers

What each vendor actually ships, where JSO selective virtualization fits, and a budget-band decision framework.

Read the comparison ›

Roadmap ~8 min read

True VM-based protection — coming to Maximum mode

Selective per-function bytecode virtualization with a per-build VM interpreter. Why it's opt-in per function rather than whole-bundle default.

Read the design ›

Anti-LLM Research ~9 min read

Can ChatGPT, Claude, or Copilot reverse-engineer obfuscated JavaScript?

What today's AI assistants can actually deobfuscate, where they break down structurally, and why per-build polymorphic decoders defeat the pattern-matching approach.

Read the analysis ›

Frequently Asked

The questions security reviewers and release managers ask first.

Plain answers on LLM resistance, recoverability, embedded JavaScript support, and what's in the lower-priced plans.

Can ChatGPT, Claude, or Copilot reverse-engineer code protected by JavaScript Obfuscator?

Maximum-mode protection emits a per-build polymorphic decoder. Every release regenerates the decoder shape, key derivation, identifier prefix, and constant-pool encoding. LLMs work by pattern-matching against known transform signatures, so an AI deobfuscator that solves one build cannot apply the same approach to the next.

Is the original source recoverable from the obfuscated output?

No. Once the symbols and comments are transformed, the original source cannot be recovered from the obfuscated output — not by hand, not by automated deobfuscators, not by LLM-based tools. Variable names, string contents, and structural cues are gone for good.

Can it protect JavaScript embedded in HTML, PHP, ASP, ASPX, or JSP files?

Yes. The desktop app processes mixed files end-to-end, including JavaScript inside HTML, PHP, ASP, ASPX, and JSP templates. The non-JS portions of each file pass through untouched while every <script> block and inline event handler runs through the obfuscation pipeline.

Is anti-LLM Maximum mode included in the lower-priced plans?

Yes. Maximum-mode anti-LLM protection — per-build polymorphic decoder, encrypted constants, flat-transformed control flow — is available in every paid tier starting at $29/month. It's not gated behind an enterprise upgrade or a separate add-on.

How do I integrate it into a CI/CD pipeline?

Three options depending on where your build runs. The desktop app generates a deterministic command line you commit alongside your project. The npm CLI drops into Node-based pipelines (npm install javascript-obfuscator) and accepts the same options as the GUI. The hosted HTTP+JSON API works for any pipeline that can issue HTTPS requests — no installation needed.

Will obfuscation break my code or hurt runtime performance?

Static transforms (renaming, string encoding, dead-code insertion) impose negligible overhead — typically under 5% on real workloads. The Maximum-mode decoder adds a one-time per-build cost on first execution that's typically a few milliseconds. We publish a benchmark methodology and run a compatibility analyzer that flags risky patterns (eval loops, dynamic property names) before the build commits.

Still have a question? Email [email protected] or browse the full documentation.

Open Documentation ›