在做前端安全相关需求时，How这个问题绕不开，刚好把踩坑经验分享一下。

Want to learn advanced techniques? Check out our premium courses.

正文

保护JavaScript代码的有效方法。JavaScript加密技术。JavaScript代码的混淆方法。

在现代Web开发中，How变得越来越重要。开发者需要了解相关的安全 implications 和最佳实践。

实现How时，有几个关键考虑因素。首先是性能优化——复杂的计算可能会阻塞主线程，影响用户体验。其次是安全性，必须在应用的每一层都考虑到。

许多开发者忽视了适当的错误处理和调试技术的重要性。浏览器开发者工具、日志框架和监控服务可以显著改善开发流程。

How相关的生态系统发展迅速。新库和新框架 regularly 出现，每个都有各自解决常见问题的方法。

测试是另一个关键方面，不容忽视。自动化测试、代码审查和安全审计有助于确保代码库的质量和可靠性。

更多内容

除了上面提到的内容，还有几个点值得注意。首先是浏览器的兼容性，不同浏览器对Web Crypto API的支持程度有所不同。其次是性能问题，加密操作在大量数据时可能会影响用户体验。最后是密钥管理，如何安全地存储和传输密钥也是一个需要考虑的问题。

篇幅原因就先写这么多，后面有空会再补充更多实战案例。有问题评论区见。

Reference: How to protect/encrypt source code on a client machine? - Reddit

I've had several readers ask me about Security recently, so I decided to write a comprehensive article about it.

Want to learn advanced techniques? Check out our premium courses.

正文

The presence of **JavaScript code on client-side** devices creates various security holes that permit code injection, reverse engineering, and data exposure attacks. Attacks on JavaScript web applications are enabled through easy access to scripts, which permits intruders to both observe and modify program code, steal sensitive information, and embed destructive scripts within the system framework. Developers must protect their client-side JavaScript applications from security threats by impleme

In modern web development, Security has become increasingly important. Developers need to understand the security implications and best practices.

When implementing Security, there are several key considerations. First, performance optimization is crucial. Second, security must be addressed at every layer.

Many developers overlook the importance of proper error handling and debugging techniques.

The ecosystem around Security continues to evolve rapidly. New libraries and frameworks emerge regularly.

Testing is another critical aspect that shouldn't be neglected.

More Details

There are a few more points worth noting. First, browser compatibility varies across different browsers. Second, performance optimization is crucial when handling large amounts of data. Finally, key management is also an important consideration.

That's all for this comprehensive guide. I hope you found it helpful! Feel free to leave comments if you have questions.

Reference: Security Tips to Protect Client-Side JavaScript Applications

关于Anti-Debugging，网上资料比较零散，这里做个相对完整的总结。

Want to learn advanced techniques? Check out our premium courses.

正文

For developers who write malicious programs, it’s important to make their code not easy to be read and executed in a sandbox. Like most languages, there are many ways to make the life of malware analysts mode difficult (or more exciting, depending on the side of the table you’re sitting ;-).

Besides being an extremely permissive language with its syntax and making it easy to obfuscate, JavaScript can also implement anti-debugging techniques. A well-known technique is based on the method arguments.callee()[

]. This method allows a function to refer to its own body:

Then, the function can perform checks on the content of the variable 'foobar' (to check the size, to compute a hash or to search for the presence of specific strings) to detect if the content of the function has been modified by an Analyst (ex: to debug the code in the browser).

Speaking about browsers, their “developer tools” are very convenient to debug JavaScript. I got access to a malicious file shared with another malware analyst (thank you Mark!). It implements a nice technique to prevent malicious code to be executed if the browser console is open! Here is the small proof-of-concept based on the initial code (beautified):

The function GFkPC() defines a variable ‘ll’ which will contain the console status (default false - console closed). An object is created (WXMpu) and a ‘getter’[

] on the property is added. The get syntax binds an object property to a function that will be called when that property is looked up. I don’t know why but ‘get’ works only when the console is open. Below, we use the object, this will result in the getter function to be executed and modify the value of ‘ll’ is the console is open.

Let’s load this PoC into Chrome with the Developer Tools open:

You see that the getter is called and the console.log() used.

Now, let's close the console and reload the PoC in the same browser:

This technique worked in Chrome and Safari and the new Edge. It did not work with Firefox. While Googling for some similar examples, I found discussions about the Developer Tools detection back to 8 years ago. Still relevant today!

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Functions/arguments/callee

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Functions/get

Senior ISC Handler - Freelance Cyber Security Consultant

更多内容

除了上面提到的内容，还有几个点值得注意。首先是浏览器的兼容性，不同浏览器对Web Crypto API的支持程度有所不同。其次是性能问题，加密操作在大量数据时可能会影响用户体验。最后是密钥管理，如何安全地存储和传输密钥也是一个需要考虑的问题。

以上就是关于这个话题的完整分享，希望能对大家有所帮助。如果还有其他问题，欢迎在评论区留言讨论。

Reference: Anti-Debugging JavaScript Techniques - SANS ISC

在做前端安全相关需求时，JavaScript这个问题绕不开，刚好把踩坑经验分享一下。

Want to learn advanced techniques? Check out our premium courses.

正文

The most common JavaScript vulnerabilities include Cross-Site Scripting (XSS), malicious code, Man-in-the-middle attack and exploiting vulnerabilities in the source code of web applications. In this article, we’ll take a look at the most common JavaScript vulnerabilities and how to prevent them through popular modern security approaches combined with testing tools (e.g, auditing and code analysis tools, JavaScript vulnerability scanner, etc.). Most common JavaScript attack vectors include: execu

When it comes to JavaScript, understanding the fundamentals is crucial for any developer. This guide will walk you through the key concepts and practical applications.

One of the most important aspects of JavaScript is security. In today's digital landscape, protecting user data and preventing unauthorized access should be top priorities for every project.

Performance optimization is another critical factor. Efficient code not only provides better user experience but also reduces server costs and improves scalability.

Modern development practices emphasize modularity and reusability. By breaking down complex systems into smaller, manageable components, teams can collaborate more effectively and maintain codebases more easily.

Testing should never be overlooked. Comprehensive test coverage helps catch bugs early and ensures that changes don't break existing functionality.

Documentation is equally important. Well-documented code is easier to understand, maintain, and extend by team members both present and future.

Version control systems have revolutionized how developers collaborate. Understanding Git workflows and best practices is essential for modern software development.

Continuous integration and deployment pipelines help automate the build, test, and release processes, reducing human error and speeding up delivery cycles.

Monitoring and logging provide visibility into production systems, enabling quick identification and resolution of issues before they impact users.

The devOps culture promotes collaboration between development and operations teams, breaking down silos and improving overall efficiency.

更多内容

除了上面提到的内容，还有几个点值得注意。首先是浏览器的兼容性，不同浏览器对Web Crypto API的支持程度有所不同。其次是性能问题，加密操作在大量数据时可能会影响用户体验。最后是密钥管理，如何安全地存储和传输密钥也是一个需要考虑的问题。

有问题欢迎评论区交流，看到会第一时间回复大家一起讨论。

Reference: JavaScript Security | JavaScript Vulnerabilities