JavaScript Obfuscator (Max)

Browser-only JavaScript obfuscator powered by the javascript-obfuscator engine (same core as obfuscator.io). Minify, rename identifiers to confusable X/x blobs, string array with rotation + shuffling + RC4/base64 encoding, control-flow flattening, dead code injection, split strings, self-defending + debug protection, plus an optional XOR-cipher final wrap. Nothing ever leaves the page.

Tool Web & Dev Updated Apr 20, 2026

How to Use

Paste JS into the input box (a full module, a bundled file, inline snippets — all work).
Pick which layers to apply or hit Max Security to enable everything.
Click Obfuscate. First click downloads the javascript-obfuscator bundle (~1.4 MB, browser-cached after) so the whole thing runs client-side.
Verify runs the obfuscated code in a sandboxed iframe and compares console output with the original.
Copy or download the result as .js.

Obfuscation layers

1 Minify compact:true, strip comments 2 Rename identifiers all vars -> confusable X/x blobs (post-process) 3 String array (+ RC4 + base64) rotate + shuffle + encode every string 4 Split strings break literals into chunks 5 Control-flow flattening linear code -> switch state machine 6 Dead code injection random never-executed branches 7 Self-defending + debug protection breaks DevTools (can annoy you too) 8 Transform object keys {foo: 1} -> computed property soup (can break spread / destructuring) 9 XOR cipher wrap final payload encrypted, decrypts + evals at runtime

The nine layers

1. Minify

comments + whitespace stripped, compact output

2. Rename

_0xAbCd -> XxXXхxХXxX (Latin + Cyrillic confusables)

3. String array

all strings -> indexed array, rotated, shuffled, RC4 + base64 encoded

4. Split strings

"hello" -> "h" + "el" + "lo" (random chunks)

5. Control flow

linear flow -> switch state machine in a loop

6. Dead code

injects never-executed branches + fake functions

7. Self-defending

breaks DevTools, infinite debugger traps (optional)

8. Object keys

{foo:1,bar:2} -> o={},o[key1]=1,o[key2]=2

9. XOR cipher

final payload XOR'd with random key, one-line self-decrypting wrapper

Frequently Asked Questions

Does my source leave the page?

No. javascript-obfuscator is a full browser bundle and everything runs inside your tab. No server call, no upload.

Is this reversible?

Nothing perfect — a determined reverse engineer can still unpack. But the stacked passes (string array + rotation + RC4 + control-flow flattening + dead code + debug protection + XOR wrap) force any attacker to either run the code or write a custom deobfuscator.

What is control-flow flattening?

Linear statements are rewritten as a big switch-in-a-loop that jumps between "states". Reading control flow becomes very hard without running the code.

Why is debug protection annoying?

When enabled, the obfuscated code fights browser DevTools: infinite debugger statements, attribute tampering detection. Keep it OFF for code you want to be able to debug yourself.

Will this break my code?

Rarely. Code that inspects its own source (Function.prototype.toString tricks), or relies on eval() variable hoisting, or uses specific function.name values may need "reservedNames" configured. The Verify button runs both versions side-by-side so you can catch regressions.

Common Use Cases

Protect commercial JS

Make source hard to read before shipping a bundle to customers.

CTF / reverse-engineering challenge

Build a JS challenge that takes serious effort to unpack.

Strip PII from shared JS

Use only the rename + string array layers to hide internal names / keys / endpoints before a demo.

Post-minify hardening

Add a second obfuscation layer on top of your existing minified build.

Last updated: April 20, 2026