Documentation

Guides for protecting production JavaScript

Reference guides for release workflows, command-line usage, cross-file protections, and the desktop app.

Inside the Docs

Practical guides for real release work.

How-to guides Start with release sequencing and command-line usage, then move into feature-specific references.
Advanced protection Browse cross-file controls like Replace Globals and Protect Members when a build spans multiple scripts.

Managed Web Integrity

  • third-party origin, inline hash, content swap, and late-injection detection
  • monitor or synchronously block unknown dynamically-created scripts
  • versioned policies, deduplicated incidents, assignment/status workflow, JSON export

jso-protector/runtime/third-party-inventory is the browser sensor. jso-protector/runtime/managed-integrity is the policy and incident control plane. The account dashboard now persists and versions policies at /dashboard/web-integrity.aspx, while the public ETag-enabled policy endpoint lets the browser sensor enforce them without exposing account credentials. Apply App_Data/CreateWebIntegrityTables.sql before enabling it.

Block unknown dynamic scripts

const inventory = require("jso-protector/runtime/third-party-inventory");
inventory.attach(window, {
  originAllowlist: ["https://js.stripe.com", "https://cdn.example.com"],
  inlineContentAllowlist: ["sha256-hex"],
  enforcementMode: "block",
  beaconUrl: "/v1/runtime/beacon.ashx",
  onBlocked(decision) { lockCheckout(decision); }
});

Block mode neutralizes a dynamically-created script before its src is assigned when the origin is unknown or the script is injected after page load. Pre-existing parser-inserted scripts still require CSP and SRI for deterministic pre-execution blocking.

The dashboard can publish durable versioned policies. Load one directly with attachFromPolicy(window, { policyUrl: "/v1/runtime/integrity-policy.ashx?id=..." }); public responses use an ETag and five-minute cache window while containing no account credentials or secrets.

Version and operate policy

const managed = require("jso-protector/runtime/managed-integrity");
const policy = managed.createManagedIntegrityPolicy({
  id: "checkout", version: "2026-07-13.1", mode: "block",
  allowedOrigins: ["https://js.stripe.com"],
  expectedContentBySrc: approvedHashes
});
const decision = managed.evaluateSnapshot(policy, inventorySnapshot);
const operations = managed.createIntegrityOperations();
operations.ingest(decision);

The operations layer fingerprints repeated violations, increments occurrence counts, supports open/reviewing/resolved/ignored transitions, records assignee and resolution data, and exports portable JSON for retention or SIEM handoff.

Operational boundary

The hosted product stores policies and receives runtime incidents; customers can also run the package control plane in their own worker or collector. A managed monitoring contract, 24/7 analyst response, regulatory attestation, and incident-response ownership remain service and organizational commitments rather than properties software can create.

Try this in the online obfuscator

Paste your own code and see this option applied, or compare plans for larger projects and the desktop app.

Try It Free See Pricing