Runtime defense adds active checks around protected code. These options do not replace obfuscation; they add policy checks that can throw, blank the page, redirect, call a local handler, or POST a small beacon when a protected release is run in the wrong environment or appears to be under analysis.
Choose the response action
Use RuntimeDefenseAction to choose what happens when a runtime check fails. Supported values are throw, blank, and redirect. Use RuntimeDefenseRedirectUrl with redirect.
{
"Options": {
"RuntimeDefenseAction": "throw",
"RuntimeDefenseCallback": "window.jsoDefenseEvent",
"RuntimeDefenseBeaconUrl": "https://example.com/jso-defense"
}
}
RuntimeDefenseCallback is a global function path that receives { code, message }. RuntimeDefenseBeaconUrl sends the same event body with navigator.sendBeacon or fetch in browsers, and an HTTP(S) request in Node-compatible targets. This is an alert hook, not a hosted monitoring dashboard.
Debugger and tamper checks
DebugProtection
Adds browser debugger timing checks and debugger-trigger friction. |
DisableConsoleOutput
Suppresses common console methods in protected browser output. |
SelfDefending
Wraps output with integrity checks that fail when the generated function body changes. |
SelfDefendingIntervalSeconds
Runs recurring integrity heartbeats when set to a positive number. |
RuntimeIntegrityAlgorithm
Uses Web Crypto digest checks with SelfDefending, for example SHA-256. |
BlockDevToolsKeys
Blocks common browser keyboard shortcuts used to open developer tools. |
Browser-only checks are skipped for OptimizationMode=NodeJS with a warning where they do not make sense.
Code locks
Domain and date locks are the simple distribution controls. Runtime defense adds stronger release-specific checks for applications that can provide expected state at startup.
Session lock
RuntimeSessionToken and RuntimeSessionVariable require a global value to match the token embedded in the protected build. |
Fingerprint lock
RuntimeFingerprint locks to an exact collected browser fingerprint. RuntimeFingerprintAllow supports partial allow-list matching. |
Challenge lock
RuntimeChallengeSecret, RuntimeChallengeVariable, and RuntimeChallengeWindowSeconds require a fresh runtime challenge response. |
Headless detection
DetectHeadlessBrowser detects common automated browser signals before running protected logic. |
{
"Options": {
"RuntimeDefenseAction": "blank",
"RuntimeFingerprintAllow": [
"platform:Win32",
"language:en-US",
"timezone:300"
],
"RuntimeFingerprintMinMatch": 2,
"RuntimeTimezoneToleranceMinutes": 60,
"DetectHeadlessBrowser": true
}
}
Fingerprint tokens can use userAgent, platform, language, screen, colorDepth, and timezone. Use partial matching for real user traffic; exact fingerprints are brittle across browser and OS updates.
Signed release envelopes
Signed envelopes let a protected build verify that a runtime-provided payload was signed by your release system. Configure RuntimeSignedEnvelopeVariable, RuntimeSigningPublicKey, RuntimeSignatureAlgorithm, and RuntimeSignedEnvelopeWindowSeconds. Optional expected claims include RuntimeExpectedChallengeID, RuntimeExpectedReleaseID, RuntimeExpectedWorkspaceKey, and RuntimeExpectedProjectName.
{
"Options": {
"RuntimeSignedEnvelopeVariable": "window.jsoReleaseEnvelope",
"RuntimeSigningPublicKey": "-----BEGIN PUBLIC KEY-----...-----END PUBLIC KEY-----",
"RuntimeSignatureAlgorithm": "RSASSA-PKCS1-v1_5",
"RuntimeSignedEnvelopeWindowSeconds": 300,
"RuntimeExpectedReleaseID": "web-2026.05.14"
}
}
Set RuntimeSignatureBindEnvironment=true when the signature should also bind to the current user agent and platform. Signed envelope verification requires browser Web Crypto support and is skipped for NodeJS-targeted builds.
Where results appear
The HTTP API response and release audit metadata include runtime-defense summaries: enabled defenses, callback/beacon presence, lock types, integrity heartbeat status, signed-envelope status, and the selected action. Use these summaries in CI when reviewing whether a release candidate has the expected runtime policy.