Obfuscate Nodejs Code In Less Than 5 Minutes

Companies are increasingly selling the software as a service,  so it is more and more important to protect the source code from hackers or from people stealing the heartfully build software and reverse engineer it.

As we know most of the IT companies suggest we protect the frontend code (Angular, React, and javascript, etc). But to us, it is equally important to protect the server-side software as well and that is why we are sharing steps we use to protect the source code (Nodejs) that is residing in the server.If you follow the steps here, you will make the Nodejs code nonreadable or highly impossible for a human to read.

We have many approaches to obfuscate software, we will discuss one of them using pkg Node module. Using pkg module, obfuscation will be easy and safer to encrypt and execute.

pkg module will generate executable files for several targets(Operating Systems).

Install a pkg package

npm install -g pkg

After the successful installation, you will get access to pkg files in /usr/local/lib. you can see the list of options provided by the pkg using below command

pkg --help 

If you’re using express.static method in your code change it to use the express-static npm, because in the process of execution express.static method will lose its functionality.

Find the below script

import express from 'express';

import appRoot from 'app-root-path';

import path from 'path';

const app = express ();

app.use(express.static(path.join(appRoot.path, 'server/upload'))); 

Replace the above script with below script

import express from 'express';

import appRoot from 'app-root-path';

import path from 'path';

import serve from 'express-static';

const app = express ();


Note: If we are using the setting app.use(serve(path.join(appRoot.path,'server/upload'))); will work well if we are not creating the files (Images) dynamically. 

If you run into a problem of dynamically created images not showing up, change the setting to hardcode the path like (app.use(“upload’,serve('/home/images/upload')));)

Tip: It is recommended to use the external folder to store the images than the server directory.

Pkg module is available only for the ES-5. So if you’re using ES-6 make sure you convert your ES-6 code base to ES-5 using babel command 

babel server.js -d ./ --presets  es2017   (-d is the option for  the output path)

Once your code is ported to  ES-5, You have to run the below command with the --debug option or with the other options available to generate the executable files. 

pkg --debug server.js

If you run the above command with a debug option, you will see the process and error trace if it exists. 

It is advised to mention the command under the scripts in package.json file of your server like in the screengrab. So it will be handy when you are rerunning the command.

On a successful run, you will find the executable files in the current working directory

For Linux: server-start.prob-linux

For Windows: server-start.prob-win.exe

For Mac: server-start.prob-macos

Once you see the above files, you have to use the corresponding executable file for the respective server operating system. 

You can run the executable file using the below command (I’m using the Linux operating in my example here, so make sure you use the apt one for your server OS).

cwd~ ./server-start.prob-linux  (cwd ==> current working directory )

Now check your Nodejs code, you should see a script that is nonreadable for humans as in the below screengrab.

Things to keep in mind.

  • Make sure that the server code is changed to ES-5 format.
  • Take a back up of your ES-6 format files before babeling it to ES-5 
  • approot.path won’t work in the execution file . Please make sure that you gave an exact path to retrieve the files or images as ( app.use(“upload’,serve('/home/server/upload'))); ) 
  • Make sure you are not running into the version issues with your Nodejs

Quick links that might be helpful for further information: 


Frequently Asked Questions:

What does obfuscate mean?
In Code Obfuscation, we take source code and try to make it as unreadable as possible. Yes! I said unreadable!. Code Obfuscation calls for transforming some or most of the code.

Why would someone want to use code obfuscation?
The reason is that we want to protect the intellectual property of our programming code. We certainly do not want the attacker to take our executable binary and tamper or reverse engineer it.

Leave A Comment

Your email address will not be published. Required fields are marked *