Documentation

Guides for protecting production JavaScript

Reference guides for release workflows, command-line usage, cross-file protections, and the desktop app.

Inside the Docs

Practical guides for real release work.

How-to guides Start with release sequencing and command-line usage, then move into feature-specific references.
Advanced protection Browse cross-file controls like Replace Globals and Protect Members when a build spans multiple scripts.

Managed Web Integrity

  • third-party origin, inline hash, content swap, and late-injection detection
  • monitor or block unknown dynamic scripts and protected-field egress
  • versioned policies, deduplicated incidents, assignment/status workflow, JSON export

jso-protector/runtime/third-party-inventory is the browser sensor. jso-protector/runtime/managed-integrity is the policy and incident control plane. The account dashboard now persists and versions policies at /dashboard/web-integrity.aspx, while the public ETag-enabled policy endpoint lets the browser sensor enforce them without exposing account credentials. Apply App_Data/CreateWebIntegrityTables.sql before enabling it.

Block unknown dynamic scripts

const inventory = require("jso-protector/runtime/third-party-inventory");
inventory.attach(window, {
  originAllowlist: ["https://js.stripe.com", "https://cdn.example.com"],
  inlineContentAllowlist: ["sha256-hex"],
  enforcementMode: "block",
  beaconUrl: "/v1/runtime/beacon.ashx",
  onBlocked(decision) { lockCheckout(decision); }
});

Block mode neutralizes a dynamically-created script before its src is assigned when the origin is unknown or the script is injected after page load. Pre-existing parser-inserted scripts still require CSP and SRI for deterministic pre-execution blocking.

The dashboard can publish durable versioned policies. Load one directly with attachFromPolicy(window, { policyUrl: "/v1/runtime/integrity-policy.ashx?id=..." }); public responses use an ETag and five-minute cache window while containing no account credentials or secrets.

Fence protected data at browser egress

const dataGuard = require("jso-protector/runtime/data-exfiltration-guard");
dataGuard.attach(window, {
  id: "checkout-egress", version: "1", mode: "block",
  allowedOrigins: [location.origin, "https://api.stripe.com"],
  protectedFieldNames: ["accountNumber"]
});

The guard watches fetch, XHR, sendBeacon, WebSocket sends, and programmatic form submission. Built-in selectors cover password and payment autocomplete fields; add application-specific selectors or field names explicitly. It blocks only when protected data is sent to an unapproved destination. Incident snapshots retain destination origin, field names, counts, transport, and action, but never field values or request bodies.

This is a defense-in-depth browser control, not a substitute for CSP, SRI, server-side tokenization, or a managed SOC. It cannot reliably identify the originating script for every JavaScript call, and already-encoded or encrypted payloads may evade value matching. Start in monitor mode, review destinations, then enable block.

Version and operate policy

const managed = require("jso-protector/runtime/managed-integrity");
const policy = managed.createManagedIntegrityPolicy({
  id: "checkout", version: "2026-07-13.1", mode: "block",
  allowedOrigins: ["https://js.stripe.com"],
  expectedContentBySrc: approvedHashes
});
const decision = managed.evaluateSnapshot(policy, inventorySnapshot);
const operations = managed.createIntegrityOperations();
operations.ingest(decision);

The operations layer fingerprints repeated violations, increments occurrence counts, supports open/reviewing/resolved/ignored transitions, records assignee and resolution data, and exports portable JSON for retention or SIEM handoff.

Operational boundary

The hosted product stores policies and receives runtime incidents; customers can also run the package control plane in their own worker or collector. A managed monitoring contract, 24/7 analyst response, regulatory attestation, and incident-response ownership remain service and organizational commitments rather than properties software can create.

Try this in the online obfuscator

Paste your own code and see this option applied, or compare plans for larger projects and the desktop app.

Try It Free See Pricing