Documentation

Guides for protecting production JavaScript

Reference guides for release workflows, command-line usage, cross-file protections, and the desktop app.

Build And Release Workflows Download Desktop
Inside The Docs

Practical guides, not placeholder pages.

How-to guides Start with release sequencing and command-line usage, then move into feature-specific references.
Advanced protection Browse cross-file controls like Replace Globals and Protect Members when a build spans multiple scripts.

Migrating from Jscrambler

  • Jscrambler Code Integrity customers
  • Corporate or Enterprise when runtime defense, reports, and advanced workflow matter

Use this guide when an existing Jscrambler Code Integrity deployment is being evaluated against JavaScript Obfuscator. The products overlap on code protection and runtime defenses, but the buyer fit is different: Jscrambler is a broader client-side security platform with hosted monitoring and compliance programs; JSO is a self-service protection workflow with online, desktop, API, release-report, and customer-owned monitoring paths.

When JSO is the better fit

Three reasons come up consistently when teams compare the two products:

  • Posted pricing and self-service start. JSO publishes plans on premium-membership.aspx. A team can sign in, generate an API key, run npx jso-protector --init, and test a protected build without waiting for procurement scoping.
  • Online, desktop, and API paths in one workflow. JSO is practical when one team member wants a browser preview, another wants the Windows desktop app, and release engineering wants a repeatable CLI/API job.
  • Local symbolication and release evidence. JSO returns identifier maps and release metadata that your team can store, review, and use locally with jso-symbolicate.

Feature mapping

Jscrambler featureJSO equivalent
Identifier mangling, string concealing, control flow flattening, dead-code injection Direct equivalents: NameMangling, MoveStringsIntoArray + EncodeStrings + EncryptStrings, FlatTransform, DeadCodeInsertion. See the docs catalog for each option.
Polymorphic outputs (different bytes per build) JSO produces polymorphic output by default. Verifiable via Report.PolymorphismFingerprint in every API response. Two consecutive obfuscations of identical input MUST produce different fingerprints.
Code Locks — calendar / domain / counter LockDate + LockDateValue (calendar), LockDomain + LockDomainList (domain). Counter locks ship via the runtime self-defending heartbeat — Runtime Defense docs.
Self-defending (tamper-detection runtime guard) JSO's SelfDefending + SelfDefendingIntervalSeconds heartbeat. Beacon callback when the integrity check fails. Configurable runtime action (redirect, callback, beacon).
Anti-debugging, devtools detection DebugProtection, BlockDevToolsKeys, DisableConsoleOutput, DetectHeadlessBrowser.
Threat monitoring — live dashboard of tamper events JSO Runtime Defense emits events to customer-owned monitoring. Use the first-party forwarders for Splunk HEC, Elasticsearch, Slack/Discord, or signed webhooks. JSO does not currently host the full incident dashboard that Jscrambler sells.
Source maps + symbolication Identifier maps included in every API response under Report.GlobalIdentifierMap / Report.MemberIdentifierMap. Demangle locally with jso-symbolicate; first-class integrations for Sentry, Bugsnag, Rollbar, Datadog, Honeybadger, Raygun, Airbrake, AppSignal. Maps never leave your machine.
Webskimming / third-party tag protection (PCI DSS v4) JSO provides runtime script inventory, Magecart-style detections, and a PCI DSS v4 evidence report for protected builds. It is not a full replacement for a managed Webpage Integrity or PCI DSS governance program.
Webpack / Rollup / Vite / esbuild build plugins Drop-in equivalents: jso-protector/webpack, jso-protector/rollup, jso-protector/vite, jso-protector/esbuild. See the npm CLI guide for the full list.
CI/CD integration Ready-to-drop templates for GitHub Actions, GitLab CI, CircleCI, Jenkinsfile, Azure Pipelines, Bitbucket Pipelines — node_modules/jso-protector/ci/ after install. Auto-tag with the commit SHA via --label.
IDE integration Marketplace-ready VS Code extension and JetBrains plugin (WebStorm, IDEA Ultimate, PhpStorm, PyCharm Professional, RubyMine, GoLand, Rider). Three presets, env-var-first credentials.
customLabel CI metadata jso-protector --label "$COMMIT_SHA". The label rides on the API request as ReleaseLabel and groups dashboard audit entries by commit.

Where Jscrambler still leads

Honest gap list, so the decision is informed:

  • Managed Webpage Integrity and PCI programs. If the buying need is continuous third-party-script governance, payment-page monitoring, and vendor-led compliance operations, Jscrambler is the stronger fit.
  • Hosted threat-monitoring dashboard. JSO forwards runtime events into your monitoring tools. Jscrambler is stronger when the team wants the vendor-hosted alerting and incident UI.
  • Enterprise rollout and managed onboarding. Jscrambler is built for a sales-led platform deployment. JSO is intentionally easier to start; contact support when you need an Enterprise support shape.
  • One platform for broader client-side security. JSO focuses on first-party JavaScript protection workflows. Jscrambler's broader portfolio includes Webpage Integrity, Iframe Integrity, PCI DSS, and Code Integrity under one vendor platform.

Migration checklist

  1. Inventory. List every entry point Jscrambler currently protects: dist folders, webpack outputs, inline HTML scripts, mobile bundles. The migration scope equals this list.
  2. Export your current Jscrambler config (the .jscramblerrc or web-dashboard JSON). Use it as the reference when mapping options below.
  3. Provision a JSO API key. Sign up, upgrade to Corporate, generate a key under Dashboard → API Keys.
  4. Install the CLI: npm install --save-dev jso-protector, then npx jso-protector --init to generate a starter jso.config.json.
  5. Translate options using the feature mapping above. controlFlowFlatteningFlatTransform; stringConcealingEncryptStrings; lock options stay 1:1.
  6. Preserve public names. Carry Jscrambler's identifierNames exclusion list across as reservedNames in jso.config.json (or as a multi-line VariableExclusion block).
  7. Run side-by-side. Protect into dist-jso-protected/ while keeping the Jscrambler-protected output as the live release. Smoke-test the new bundle against your existing test suite.
  8. Wire CI: copy the right template from node_modules/jso-protector/ci/ into your repo. Add JSO_API_KEY and JSO_API_PASSWORD as secrets.
  9. Route runtime events. If you currently rely on Jscrambler alerts, wire JSO Runtime Defense to Splunk, Elasticsearch, Slack/Discord, or a signed webhook before cutting over.
  10. Wire your error reporter. If you use Sentry / Bugsnag / Rollbar / Datadog / Honeybadger / Raygun / Airbrake / AppSignal, follow the symbolication doc — one require + one config-flag.
  11. Cut over. Flip the deploy to the JSO-protected bundle. Keep the Jscrambler config in source control for two release cycles in case you need to roll back.
Next: read the npm CLI workflow, Runtime Defense, and stack-trace symbolication doc pages. Or jump straight to the migration guide for the OSS package if you're also coming off javascript-obfuscator.