Hiding JavaScript with PHP

I’ve seen a lot of how-to’s and ideas on blocking, hiding or encrypting your JS files from non-savvy users.

But, the thing is I’m not really worried about the non-savvies, it’s the savvy ones that I don’t want having access to my JS files.

So, I thought instead of trying to protect my JS files, why not hide their location altogether from the get go? It’s never just this easy I know, but I still wonder if instead of using the typical;

<script type="text/javascript" src="js/comegetme.js"></script>

method to call to/import a JS file that there might be a PHP alternative to import it? That way it wouldn’t even be seen in the source code at all.

I’m sure to the real savvy user there is still an easy way to nab the JS, and of course no matter what you do, it’s just a deterrent, if you have something someone wants bad enough, they’re going to get it no matter what.

I’m sure someone could suggest a heavier method, but I’m still just interested in this light weight method for small websites.


JS is a client side script, the browser has to download it in order to run it. And if the browser can download and run it the “savy” user can download it and see it.

Why do you want to hide your javascripts?

Trying to hide javascript from client is the same nonsense as trying to hide a gas from your car. No one will drive it away, yes. Yourself included.

I completely agree, the idea isn’t to obfuscate the JS or browser in any way from doing their job, just to call to or import the JS file via PHP so that it’s file location is hidden to the user, if this just isn’t possible let me know, but if it is I think it’s an interesting idea that could have some relevant use.

I personally don’t want to or have any reason to hide my JS files, I’m actually all about the open source free love, but I do want to know for client projects and if in the future I work on something that needs to be secured I’d like to know.

Does anyone know of or have any ideas on the method I’m talking about?

That’s a horrible analogy that doesn’t really make any sense contextually at all, some programmer’s take their work very serious and want it copyrighted and protected.

A more accurate analogy would be hiding JS from the end-user is like hiding the secret ingredients of KC Masterpiece from customers. They can still enjoy the website or their sauce to the full extent, but that doesn’t mean that you have to give them all the secrets so they can do it themselves or recreate it and sale it to others, sometimes it’s just business.

I’m not saying that I have the KC Masterpiece of code that needs protecting, but I do have clients that have businesses that are almost solely based on web software that might see value in such precautions. I’m all about open source (within reason), but that doesn’t mean everyone is or should be. There are always more sides or reasoning to something to think about other than your own.


Don’t you understand that your “hiding” php file would be just another location of the JS?
And nothing prevent me from requesting this file with exactly the same result as if it was js file itself?

JS never needs to be “secured” and have nothing common with securing projects. You have to devise another tale.

header('Content-Type: text/javascript');


If the browser cannot access the JavaScript, the browser cannot run the code.

Unlike PHP, which is parsed on the server, and sends the finished result to the browser.
JavaScript runs in the browser, and if the browser can run the JavaScript the user can access the code.

The PHP code is hidden from the user, because it runs somewhere else.
The JavaScript cannot be hidden, because it runs on the client machine.

There are simply no way to hide your JavaScript from the user.

I’m not sure why the rude tone, but it’s pretty inappropriate and definitely unnecessary. If you have some problem with the idea I’m proposing, you certainly do not have to be apart of this conversation. A tech forum is primarily to discuss ideas/problems and the possible solutions or alternatives, not to drop in just to leave rude and unhelpful comments.

If you want to continue to discuss the goal, I would be happy to hear your valid thoughts on why this couldn’t work, as long as you can do so in an intelligent, polite and mature fashion.

Correct me if I’m wrong or you disagree, PHP is completely server-side, the browser and end-user never actually see the PHP code, only the output or nothing at all.

Okay, now I don’t mean the end-user page calling to a .php file that contains JS or that calls to a JS file.

I mean, the end-user page containing PHP in the head section that calls to a JS file.

I would be happy to hear valid points of why or why not that’s possible, I’m not however interested in hearing whether something like that should or shouldn’t be done, that is in no way helpful to the point of this thread.

Someone’s going to say this anyways, so I’ll say that I agree that yes, absolutely if there is such sensitive or important data that it should have been done right with PHP in the first place. But, as many of you know when you walk into a clients project, you don’t know what you’ll find.

If anyone has any helpful input, I would surely appreciate it.


I would be happy to hear valid points of why or why not that’s possible

here you are

        <script type="text/javascript">
            <?php echo file_get_contents('/path/to/src.js'); ?>

Right, I understand all that… I was just hoping that it might be possible for the browser to privately communicate with the JavaScript and didn’t have to allow users access to it, the literal file I mean.

Thank you for the helpful and relevant answer by the way. I’m not a programmer and I need some light shed on the subject every now and then. I’m curious if this is a possible good solution, or if you can see many holes in it right away?:



I’ve never seen Javascript put into a session LOL, strange. That actually seems like a smart trick – BUT not a good idea with a lot of data such as a JS framework in sessions… LOL mercy, imagine 500 users hit your site, thats 500 stored sessions with ALL the JS code LOL and recreating it into a new file on your server 500 times LOL it just seems bad but I actually odnt know anything lol

No it’s not possible. The act of delivering the JS code to the browser is one and the same as the act of delivering it to the user (if they wish to find it).
You can obscurify and minify it so it’s harder to understand, but it will always be available. The concept of hiding the location of a physical .js file on the server is irrelevant. The file is not the point, it’s just a convenient way for the web server to deliver the JS code. The Developer Tutorials article might work if the user opened the script path as a new request, but Firebug or any similar developer tool (which runs inside the browser) will still have access to the JS.

JREAM - the JS code wasn’t being stored inside the session. A session value was just being checked, and the JS was being served to the client if found.

A determined savy user will beat anything you do. Web browsers have debuggers that will show you all the javascript. Even if they didn’t, a packet sniffer will grab it.

If you design something whos security relies upon the javascript being a secret, your security will fail.

I can remember doing something like that with some key parts of the js being fetched from a cookie, which I had previously loaded.

As I recall it did work (to my astonishment) but was so unfathomable, brittle and unmanageable I gave it up as a bad job.

Its all a bit hazy now, it may have been one of those friday afternoon (post-pub) ideas I used to have.

If it were I, I’d have the resource accessible via a regular, system managed, entry point (or URI if you will).

Much in the same way you’d have your user meet certain authentication requirements to access [U]http://www.example.org/account/preferences/[/U], you would implement these same checks to access [U]http://www.example.org/assets/js/thingy-ma-bob[/U] which would serve up the js.

This enables you to maintain a central and unified mechanism for authentication.

There is no way to do what you ask, BUT there are ways to make it hard for people to get your file.

This is what you have to do:
#1 obscurify and minify all your JS files.
#2 in your header pages, include a javascript file A that will include another JS file B with all your functionality (ajax load, execute/ unload)
#3 your A js file will be generated by PHP, and will always have a different URL.
#4 your B js file, will always have a different URL (linked to by A)
#5 you should have multiple versions of your A file, obscurified / minified with different methods (so serve ones at random).
#6 track requests to your JS files in the session (account for multiple tabs), and if you get a request you shouldn’t have (request B before A, etc), then server some random js code (obscurified / minified), and flag the session/ip so all other requests to it will give the user that fake js (but also tag the correct requests, so you always server the right stuff there).

You can do this type of thing to make the people trying to steal your JS waste a bit more time to successfully get your JS. But people that know what they are doing won’t have a problem getting your code (no matter what you do, you can intercept the network packets and make up the code from there).

But before yo do this, ask yourself if it’s worth it.

Great, thank you to everyone who was polite, professional and courteous and left helpful replies.

So, I think we can all agree that if someone really wants your JS, they will have it, and if it’s really sensitive data it should certainly be handled in PHP or some other server-side method.

However, if someone for example has worked very hard on a JS file and they don’t exactly want it to be open source, although they don’t really have any choice :wink: there are some precautions;

1. Copyright and make it clear under what circumstance your JS is available to others if at all.

2. You could obscurify and minify your JS.

3. There are some methods for “hiding” your JS (example), but there may still be holes and the cons of hiding your JS might not be worth it.

4. Probably the best method would be to convert your JS to PHP, I don’t know if there is any automated way to do this. But, more than likely if you’re a programmer yourself you’ll have to do this manually or if like me you’re not a programmer, hire someone.

If anyone has anything to add please do, and if anyone happens to know of an actual ingenious way that isn’t overkill to protect JS please let us know.

I’m going to mark this as [SOLVED] and again thanks to everyone who was helpful.


it’s good way to compress you JS file.if you watch Google JS,it’s has compressed.no space and newline