Can JavaScript Obfuscator protect JavaScript embedded in HTML, PHP, ASP, ASPX, or JSP files?

Yes. The desktop app protects JavaScript embedded in mixed files including HTML, PHP, ASP, ASPX, and JSP.

Anti-LLM Maximum mode in every paid tier — per-build polymorphic decoding from $29/mo · Compare plans

Try the online obfuscator Free preview · no signup · in your browser

JavaScript Protection For Release Teams · Since 2004

Protect shipped JavaScript without slowing down the release flow around it.

Q: Is the original source recoverable from the obfuscated output?

No. Once the symbols and comments are transformed, the original source cannot be recovered from the obfuscated output - not by hand, not by automated deobfuscators, not by LLM-based tools.

Q: Is anti-LLM Maximum mode included in the lower-priced plans?

Yes. Maximum-mode anti-LLM protection is available in every paid tier starting at $29/month, not gated behind an enterprise upgrade.

Start with a browser preview, move into the desktop app when source must stay local, or wire the hosted API and npm CLI into CI. Maximum-mode polymorphic protection starts at $29/month.

Try It Free Online View Plans From $29/month See Release Workflows ›

Online preview No signup required Desktop path Source stays local Automation API + npm CLI available

Protect production code

Use stronger protection for shipped JavaScript, then move into desktop, API, or CLI workflows when the release process needs to scale.

Preview Try the browser tool before changing your build flow.

Local Switch to desktop when code cannot leave the workstation.

Ship Carry the same preset into repeatable release automation.

2004 First shipped. Continuous releases for 22 years. Heritage

$29 = 1 GB Entry tier with anti-LLM Maximum mode included. Pricing

Per-build Polymorphic decoder regenerated every release. Anti-LLM

4 paths Online, desktop GUI, hosted API, npm CLI. Workflow

Trusted by product teams worldwide Some of the names that have shipped JavaScript Obfuscator-protected code in production since 2004.

Find Your Fit

Pick your threat model. We'll point you at the right preset.

The right amount of protection depends on what an attacker actually wants from your code. Pick one and the recommendation appears below.

Tier 1

Anti-copying

A competitor scrapes my script and runs it on their own site. I want them to get a working file they can't easily modify or extend.

Standard preset →

Tier 2

Anti-IP-theft

Someone wants to understand my algorithm well enough to reimplement it. They have time, tools, and motivation. I want to make that effort uneconomical.

Maximum preset →

Tier 3

Anti-active-attacker

Someone wants to tamper with my running code — bypass a paywall, grant a feature, manipulate game state. Active attacker, real-time threat.

Maximum + monitoring →

Recommended: Standard preset. Variable renaming and string encoding stop the casual copy-and-paste copycat. The Free tier is enough — no credit card required. Upgrade only if your usage grows beyond 200 MB/month.

Open Standard Preset ›

Recommended: Maximum preset. Per-build polymorphic decoder, encrypted constant pool, flat-transformed control flow, self-defending wrapper. The threshold an attacker has to cross becomes uneconomical for most non-state actors. Available in every paid tier from $29/month.

Open Maximum Preset ›

Recommended: Maximum preset + a runtime monitoring suite. Maximum mode raises the cost of analysis; runtime monitoring catches tampering when it happens. Server-side authority on anything that grants access. Obfuscation is one layer in a layered defense, never the only one.

Open Maximum Preset › Runtime Defense Guide

Pricing

Published plans. Anti-LLM in every paid tier.

No sales call. No "contact us for pricing." Maximum-mode anti-LLM protection is included from the entry tier up — never gated to a higher plan.

Bytes per dollar at the entry tier

JavaScript Obfuscator

$29 → 1 GB / month

Comparable

$19 → 100 MB

10× the bytes per dollar. Anti-LLM Maximum mode included from $29.

Start free

Free

$0/month

A no-cost starting point for quick evaluations and basic obfuscation workflows.

Best for first previews

200 MB monthly quota
20 files per request
Name mangling
String encoding

Get Started Free

Individual builds

Basic

$29/month

Maximum-mode protection for individual developers shipping active products.

Best for solo release flow

1 GB monthly quota
50 files per request
10 MB max file size
Compression included
All Free features

Choose Basic

Corporate

$49/month

The best balance of capacity and advanced controls for repeatable team releases.

Best for growing teams

3 GB monthly quota
1000 files per request
30 MB request size
Replace globals + protect members
Dead code insertion

Choose Corporate

High-volume pipelines

Enterprise

$99/month

Higher limits for larger release pipelines and broader file-processing capacity.

Best for larger throughput

9 GB monthly quota
3000 files per request
120 MB max file size
Best compression ratio
All Corporate features

Choose Enterprise

Compare all four plans in detail ›

The Question Every Procurement Reviewer Asks

What actually changes when the output shape is different on every release?

Short answer: no, for output that regenerates its decoder shape every build. Yes, for static obfuscators in their training data.

Every release changes the attack surface. Maximum mode regenerates the decoder shape, key path, and identifier prefix instead of shipping one static transform signature forever.

LLMs lose the shortcut they rely on. Pattern-matching works well against fixed obfuscators. It degrades when the next build is structurally different from the last one.

Runtime-decoded constants remove obvious clues. Strings, names, and readable branches stop acting like anchor points for reverse engineering and code explanation prompts.

Read the full answer › Compare Obfuscators

// What an LLM sees on a Maximum-mode build:
//   (function(){var _0xa3=_dec(0x4a); ... })();
//
// What it CAN'T tell you:
//   - what _dec(0x4a) decodes to
//   - which case the state machine runs first
//   - what the original variable names were
//   - what the strings are
//
// All of that lives behind the decoder,
// which only runs at runtime.

Procurement-Ready

Get answers without a sales call.

Source-handling, release validation, compliance vocabulary, and workflow-to-policy fit are all documented. Your security team can review without scheduling a discovery meeting first.

Review pack ready Workflow and trust docs Local-only path included

In-memory processing Submitted JavaScript is processed in server memory only, and the desktop workflow keeps source on the workstation throughout.

Compliance vocabulary mapped GDPR data minimisation, OWASP A04/A09, PCI DSS 4.0 client-side script integrity, HIPAA-adjacent code, and NIST SSDF concerns are addressed in one place.

Honest scope No SOC 2 or ISO 27001 claims today. We publish the handling details, support path, release-validation guidance, and local-only option we do have.

Open Security & Trust Source Handling Doc Release Workflow

Desktop App

Your source code never leaves your workstation.

For PHI-adjacent web apps, on-prem build pipelines, or any project where the JavaScript source code can't be uploaded to a third-party server — use the desktop GUI. Batch process entire projects, including JavaScript embedded in HTML, PHP, ASP, ASPX, and JSP. Generate a deterministic command line you can check into your release pipeline.

Mixed-file support for HTML, PHP, ASP, ASPX, and JSP Deterministic command line for release automation Local-only path for sensitive source code

Download Desktop › Take a Tour ›

Scope Whole projects and embedded JavaScript

Output Repeatable command line for CI handoff

Security Source stays on the local workstation

Three Ways To Start

Pick the entry point that fits how your team actually ships.

Use the online tool for quick evaluation, move to desktop when source must stay local, or hand procurement and engineering the deeper docs when they need release-process details first.

Try the online obfuscator

Best when you want a fast before-and-after preview, a quick shareable test, or a lightweight way to compare presets.

Open the browser tool ›

Download the desktop app

Best for PHI-adjacent code, on-prem build systems, and mixed-file projects that need local-only processing.

Get the desktop installer ›

Review trust and workflow docs

Best when security reviewers, release managers, or procurement teams want handling details before testing the product directly.

Open security and workflow docs ›

From the engineering team

All articles

Vendor Comparison ~10 min read

JavaScript VM protection compared — Jscrambler, JSDefender, Verimatrix, OSS virtualizers

What each vendor actually ships, where JSO selective virtualization fits, and a budget-band decision framework.

Read the comparison ›

Roadmap ~8 min read

True VM-based protection — coming to Maximum mode

Selective per-function bytecode virtualization with a per-build VM interpreter. Why it's opt-in per function rather than whole-bundle default.

Read the design ›

Anti-LLM Research ~9 min read

Can ChatGPT, Claude, or Copilot reverse-engineer obfuscated JavaScript?

What today's AI assistants can actually deobfuscate, where they break down structurally, and why per-build polymorphic decoders defeat the pattern-matching approach.

Read the analysis ›

Frequently Asked

The questions security reviewers and release managers ask first.

Plain answers on LLM resistance, recoverability, embedded JavaScript support, and what's in the lower-priced plans.

Can ChatGPT, Claude, or Copilot reverse-engineer code protected by JavaScript Obfuscator?

Maximum-mode protection emits a per-build polymorphic decoder. Every release regenerates the decoder shape, key derivation, identifier prefix, and constant-pool encoding. LLMs work by pattern-matching against known transform signatures, so an AI deobfuscator that solves one build cannot apply the same approach to the next.

Is the original source recoverable from the obfuscated output?

No. Once the symbols and comments are transformed, the original source cannot be recovered from the obfuscated output — not by hand, not by automated deobfuscators, not by LLM-based tools. Variable names, string contents, and structural cues are gone for good.

Can it protect JavaScript embedded in HTML, PHP, ASP, ASPX, or JSP files?

Yes. The desktop app processes mixed files end-to-end, including JavaScript inside HTML, PHP, ASP, ASPX, and JSP templates. The non-JS portions of each file pass through untouched while every <script> block and inline event handler runs through the obfuscation pipeline.

Is anti-LLM Maximum mode included in the lower-priced plans?

Yes. Maximum-mode anti-LLM protection — per-build polymorphic decoder, encrypted constants, flat-transformed control flow — is available in every paid tier starting at $29/month. It's not gated behind an enterprise upgrade or a separate add-on.

How do I integrate it into a CI/CD pipeline?

Three options depending on where your build runs. The desktop app generates a deterministic command line you commit alongside your project. The npm CLI drops into Node-based pipelines (npm install javascript-obfuscator) and accepts the same options as the GUI. The hosted HTTP+JSON API works for any pipeline that can issue HTTPS requests — no installation needed.

Will obfuscation break my code or hurt runtime performance?

Static transforms (renaming, string encoding, dead-code insertion) impose negligible overhead — typically under 5% on real workloads. The Maximum-mode decoder adds a one-time per-build cost on first execution that's typically a few milliseconds. We publish a benchmark methodology and run a compatibility analyzer that flags risky patterns (eval loops, dynamic property names) before the build commits.

Still have a question? Email [email protected] or browse the full documentation.

Open Documentation ›