How to disguise url in javascript?

Question

Let's say I have a URL as part of a webpage script like this:

<script>
var url = "http://www.example.com";
</script>

I don't want people to be able to read this URL easily. Obviously I realise that once it hits the client side they will be able to reverse engineer my code.

But I'm looking for a lightweight way to disguise this so that people can't just view/click it easily with view:source.

Answer 1

First of all:

This is NOT secure, and i would NOT recommend this for anything security related.

But if you have to do it:

You can use a javascript obfuscator, which basically makes your code unreadable while it still works as i should.

Remember unreadable is not equal to undecodable.

It turns your javascript:

var url = "http://www.example.com";

Into:

var _0x5386=["\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x65\x78\x61\x6D\x70\x6C\x65\x2E\x63\x6F\x6D"];var url=_0x5386[0]

Which is 100% the same code, just unreadable:

var _0x5386=["\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x65\x78\x61\x6D\x70\x6C\x65\x2E\x63\x6F\x6D"];var url=_0x5386[0]

console.log(url); // http://www.example.com

Else take a look at Nick Bull's answer if you want to encode the url, but this will still leave your url readable for the naked eye if reading the javascript code.

This method does also have a weakness to the console window, since anyone could just type in the variable "url" and receive the url.

So all in all, this method will not leave your url in plaintext, but it does have the same console flaw like Nick Bull's answer.

But again, this is NOT secure.

Answer 2

Jscrambler is the best option I have found if you want to conceal anything in your code. You can also add other layers of security to make reverse-engineering unfeasible and make the code detect debugging.

Answer 3

See MDN docs, you can use base64:

// Encoding
var encoded = btoa(stringValue);

// Decoded
var decoded = atob(stringValue);

Easily decoded by anybody who knows how to access the browser console.