Developer

JS Obfuscator

Apply light obfuscation to small scripts: string-aware removal of // and /* */ comments, optional whitespace collapse outside strings, optional hex / unicode escapes for quoted string literals, and an optional UTF-8 Base64 shell that decodes at runtime. This is not a substitute for real security — everything runs locally in your browser.

Ad placement — top banner

No file loaded

Drop a .js file here UTF-8 text is read into the input — nothing is uploaded

Options run in order: comments → whitespace → hex strings → Base64 wrapper. The Base64 step applies to the already transformed code. Test output before shipping — especially with regex literals and strict CSP.

Ad placement — mid rectangle

What is “light” obfuscation?

Obfuscation makes source harder to read at a glance. It does not provide confidentiality: anyone can still recover behavior with devtools, prettifiers, or a few minutes of work. Use this tool for casual deterrence or quick experiments — not for API keys, license checks, or anti-tamper guarantees.

What this tool does

A small state machine walks your file and treats ', ", and ` delimited regions as opaque: comments are stripped and spaces collapsed only outside those regions. Optional hex encoding rewrites string literals using \xNN and \uXXXX escapes (via the same decoded values as the original literals). The optional Base64 wrapper UTF-8–encodes the whole prior result and emits an immediately invoked function that decodes and runs it with new Function.

  • No server round trip — suitable for quick one-off snippets.
  • Stats show input length, output length, and character delta.
  • Template literals with ${…} are not hex-rewritten (avoids breaking embedded expressions).

Limits and caveats

Full JavaScript minifiers use an abstract syntax tree. Regex-based tools cannot reliably tell a regex literal from division in every position. If output looks wrong, narrow the snippet or switch to webpack, esbuild, or a dedicated obfuscator in your pipeline.

How to use this tool

  1. Step 1: Paste JavaScript or drop a file.
  2. Step 2: Enable stripping and whitespace collapse first; add hex strings or Base64 only if you need them.
  3. Step 3: Copy the output and run your unit tests or load in a scratch page.
  4. Step 4: For production, prefer your bundler’s Terser or a maintained obfuscator with AST support.

Frequently Asked Questions

Does DroidXP upload my JavaScript?

No. The tool runs entirely in your browser. For proprietary code, still follow your organization’s policies on using web-based utilities.

Is this strong enough to protect secrets?

No. Comment removal, whitespace collapse, hex string encoding, and a Base64 wrapper are easy to reverse. Treat this as light obfuscation for casual inspection, not security or licensing.

Why did my regex or division break?

A tokenizer cannot perfectly distinguish every slash from a regex literal. If you see odd behavior, run the same options on a smaller snippet or use a full AST-based minifier in your build.

What is the Base64 wrapper doing?

It UTF-8 encodes your script, Base64-encodes it, then emits an IIFE that decodes at runtime and runs the code via new Function. That is reversible and may be blocked by strict Content Security Policy.

Why are template literals not hex-encoded?

Backtick strings can contain embedded expressions; this tool leaves them unchanged so it does not corrupt nested expressions.

Can I process huge bundles?

Very large files may hit memory limits in the tab. This page caps input length; for big bundles, use your bundler or a CLI obfuscator.

Does hex-encoding strings change runtime behavior?

The emitted literals decode to the same string values as before. If evaluation of a literal fails, that literal is left unchanged.

Ad placement — sidebar 300×600