JavaScript Protection For Release Teams · Since 2004
Protect shipped JavaScript without making your release flow heavier.
Try the online obfuscator in seconds, move to desktop when source must stay local, or wire the API and npm CLI into CI. Maximum mode still delivers per-build polymorphic protection, but the workflow stays practical from first evaluation to repeatable releases.
Online preview for fast evaluation
Desktop app when code must stay local
API + npm CLI for repeatable builds
4 shipping paths
Online tool, desktop GUI, hosted API, and npm CLI for different release constraints.
22 years of releases
Continuous shipping since 2004 from Richscripts Inc, Toronto, Canada.
Anti-LLM Maximum from $29
Per-build polymorphic decoding stays available in every paid tier instead of hiding behind enterprise pricing.
2004
First shipped. Continuous releases for 22 years.
Heritage
$29 = 1 GB
Entry tier with anti-LLM Maximum mode included.
Pricing
Per-build
Polymorphic decoder regenerated every release.
Anti-LLM
4 paths
Online, desktop GUI, hosted API, npm CLI.
Workflow
Used by product teams worldwide
Buyer research tends to move faster when the proof is visible, not buried in another page.
Why Teams Are Re-Evaluating Older Setups
That is the real shift buyers are reacting to. Modern AI tools are much better at recognizing repeatable transform signatures, so the important question is whether the next release looks meaningfully different from the last one.
Older static output
Same transform signature, release after release.
Once the decoder pattern, naming style, and string placement are familiar, the next build becomes faster to explain and modify.
- Past reverse-engineering work carries into the next version.
- Readable literals still reveal intent, APIs, and business rules.
- LLM prompts benefit from already-seen examples of the same shape.
Per-build Maximum mode
Each build changes the visible shape again.
Maximum mode regenerates the decoder shape, key path, and identifier prefix so the next release does not look like a solved copy of the last one.
- Runtime-decoded constants remove the usual literal anchor points.
- Flat-transformed control flow changes how the program reads.
- Analysts and LLMs have to start a fresh pass on every release.
What This Changes
Reverse-engineering work stops compounding as cleanly from one build to the next.
The goal is not to claim "unbreakable." The goal is to make the next release materially harder to explain, copy, and extend than a fixed-shape alternative.
01
Same protection story across workflows
Online preview, desktop app, hosted API, and npm CLI all point back to the same core protection model.
02
Better fit for active release pipelines
Teams can keep the lighter preview path for testing and step up to Maximum mode when shipping sensitive browser logic.
03
Clearer buyer conversation
Security reviewers can compare "static transform" versus "per-build variance" without digging through long blog posts first.
Find Your Fit
The right amount of protection depends on what an attacker actually wants from your code. Pick one and the recommendation appears below.
Recommended: Standard preset. Variable renaming and string encoding stop the casual copy-and-paste copycat. The Free tier is enough — no credit card required. Upgrade only if your usage grows beyond 200 MB/month.
Open Standard Preset ›
Recommended: Maximum preset. Per-build polymorphic decoder, encrypted constant pool, flat-transformed control flow, self-defending wrapper. The threshold an attacker has to cross becomes uneconomical for most non-state actors. Available in every paid tier from $29/month.
Open Maximum Preset ›
Recommended: Maximum preset + a runtime monitoring suite. Maximum mode raises the cost of analysis; runtime monitoring catches tampering when it happens. Server-side authority on anything that grants access. Obfuscation is one layer in a layered defense, never the only one.
Pricing
No sales call. No "contact us for pricing." Maximum-mode anti-LLM protection is included from the entry tier up — never gated to a higher plan.
Bytes per dollar at the entry tier
10× the bytes per dollar. Anti-LLM Maximum mode included from $29.
Start free
$0/month
A no-cost starting point for quick evaluations and basic obfuscation workflows.
Best for first previews
- 200 MB monthly quota
- 20 files per request
- Name mangling
- String encoding
Individual builds
$29/month
Maximum-mode protection for individual developers shipping active products.
Best for solo release flow
- 1 GB monthly quota
- 50 files per request
- 10 MB max file size
- Compression included
- All Free features
Most popular
$49/month
The best balance of capacity and advanced controls for repeatable team releases.
Best for growing teams
- 3 GB monthly quota
- 1000 files per request
- 30 MB request size
- Replace globals + protect members
- Dead code insertion
High-volume pipelines
$99/month
Higher limits for larger release pipelines and broader file-processing capacity.
Best for larger throughput
- 9 GB monthly quota
- 3000 files per request
- 120 MB max file size
- Best compression ratio
- All Corporate features
Compare all four plans in detail ›
The Question Every Procurement Reviewer Asks
What actually changes when the output shape is different on every release?
Short answer: no, for output that regenerates its decoder shape every build. Yes, for static obfuscators in their training data.
Every release changes the attack surface.
Maximum mode regenerates the decoder shape, key path, and identifier prefix instead of shipping one static transform signature forever.
LLMs lose the shortcut they rely on.
Pattern-matching works well against fixed obfuscators. It degrades when the next build is structurally different from the last one.
Runtime-decoded constants remove obvious clues.
Strings, names, and readable branches stop acting like anchor points for reverse engineering and code explanation prompts.
// What an LLM sees on a Maximum-mode build:
// (function(){var _0xa3=_dec(0x4a); ... })();
//
// What it CAN'T tell you:
// - what _dec(0x4a) decodes to
// - which case the state machine runs first
// - what the original variable names were
// - what the strings are
//
// All of that lives behind the decoder,
// which only runs at runtime.
Procurement-Ready
Source-handling, release validation, compliance vocabulary, and workflow-to-policy fit are all documented. Your security team can review without scheduling a discovery meeting first — and that's the point.
Review pack ready
Workflow and trust docs
Local-only path included
In-memory processing
Submitted JavaScript is processed in server memory only, and the desktop workflow keeps source on the workstation throughout.
Compliance vocabulary mapped
GDPR data minimisation, OWASP A04/A09, PCI DSS 4.0 client-side script integrity, HIPAA-adjacent code, and NIST SSDF concerns are addressed in one place.
Honest scope
No SOC 2 or ISO 27001 claims today. We publish the handling details, support path, release-validation guidance, and local-only option we do have.
Desktop App
For PHI-adjacent web apps, on-prem build pipelines, or any project where the JavaScript source code can't be uploaded to a third-party server — use the desktop GUI. Batch process entire projects, including JavaScript embedded in HTML, PHP, ASP, ASPX, and JSP. Generate a deterministic command line you can check into your release pipeline.
Mixed-file support for HTML, PHP, ASP, ASPX, and JSP
Deterministic command line for release automation
Local-only path for sensitive source code
Three Ways To Start
Use the online tool for quick evaluation, move to desktop when source must stay local, or hand procurement and engineering the deeper docs when they need release-process details first.