Documentation

Guides for protecting production JavaScript

Reference guides for release workflows, command-line usage, cross-file protections, and the desktop app.

Inside the Docs

Practical guides for real release work.

How-to guides Start with release sequencing and command-line usage, then move into feature-specific references.
Advanced protection Browse cross-file controls like Replace Globals and Protect Members when a build spans multiple scripts.

Scorecard

  • 2026-06-08
  • Procurement, security review, evaluation

A numbers-first summary of the JSO ecosystem and how it's tested. Where claims need verification, every entry links to the source of truth (npm package, CI template, doc page).

9
First-class language clients
Node, Python, Go, .NET, Ruby, PHP, Rust, Java, Kotlin
13
CI templates
GitHub, GitLab, Circle, Jenkins, Azure, Bitbucket, Drone, Buildkite, Woodpecker, Tekton, TeamCity, GoCD, Argo
8
Error-reporter integrations
Sentry, Bugsnag, Rollbar, Datadog, Honeybadger, Raygun, Airbrake, AppSignal
11
Build-tool plugin entrypoints
Vite, Webpack, Rspack, Rollup, esbuild, Next.js, Parcel, Metro/RN, Bun, Turbopack, Browserify/Gulp/Grunt
2
IDE plugin families
VS Code · JetBrains (WebStorm + IDEA Ultimate + 5 others)
4
Kubernetes-native deployment patterns
Standalone Job · Helm chart (Job/CronJob) · Tekton · Argo
330+
Locally-runnable + CI tests
172 CLI/Node workflow tests + 167 focused package tests, plus polyglot and static contract gates
14
Verify-chain gates
Package, metadata, CI, polyglot, AI, ASP.NET, links, runtime, payment, source-map, VM, archive, copy, and action checks

Supported runtime matrix

LanguageMin runtimeHTTP transportThird-party depsLocally verified
NodeNode 18fetchnone172 tests
PythonPython 3.8urllib (stdlib)none8 tests
GoGo 1.21net/http (stdlib)none8 tests, awaiting Go CI
.NET.NET Standard 2.0HttpClientSystem.Text.Json8 tests
RubyRuby 2.7net/http (stdlib)none8 tests, awaiting Ruby CI
PHPPHP 7.4ext-curl + stream fallbacknone8 tests, awaiting PHP CI
RustRust 1.70ureq (sync, rustls)serde_json, thiserror7 tests, awaiting Rust CI
JavaJDK 11java.net.httpJackson7 tests, awaiting Java CI
KotlinJDK 11java.net.httpkotlinx-serialization, kotlinx-coroutines7 tests, awaiting Kotlin CI

Security posture

  • Password hashing: PBKDF2-SHA256, 120k iterations (OWASP 2026 floor), 16-byte salt, 32-byte hash.
  • API-key passwords: MachineKey AES-CBC-encrypted at rest (auto-upgrades on first verify).
  • Admin password: PBKDF2 hash supported via JSOAdminPasswordHash; constant-time compare; cookie bound to UA+IP+XFF.
  • Recovery codes: HMAC-SHA256 with a per-deployment server secret; constant-time verify.
  • ESLint plugin: catches base-64-shaped JSO API tokens hardcoded in source. Auto-fixes to process.env.
  • pre-commit hooks: jso-release-check + jso-dry-run + jso-credential-leak scan, all run before each git commit.
  • Polymorphism evidence: every API response includes BuildId and PolymorphismFingerprint; two consecutive obfuscations of identical input MUST produce different fingerprints.
  • Symbolication privacy: identifier maps stay on the customer machine; stack traces are demangled locally by jso-symbolicate. No third-party symbolication service.
  • Beacon webhook guidance: Runtime Defense beacons can be sent to a customer-owned collector today. The planned jso-beacon-slack forwarder is not a public package yet, so customers should not depend on it for production routing.

Verifiability

Every claim on this page links to a source you can inspect without contacting JSO:

Procurement use: this page is designed to fit in a vendor-evaluation spreadsheet. Each tile is a number that maps to a known category and a known source. If your evaluation rubric needs a number we don't show, contact support — recipes get added based on what real evaluations ask for.

Try this in the online obfuscator

Paste your own code and see this option applied, or compare plans for larger projects and the desktop app.

Try It Free See Pricing