Tools for Obfuscating HTML and CSS

HTML/CSS Obfuscation Compiling

Try http://www.cssobfuscator.com/:

What it does:
- It will take your CSS file, apply minification, encoding and encypting and finally injects this unreadable crap into tailored JS library (also obfuscated).

- The result you will get is this tailored (unique) library, containing obfuscated CSS. Just include it in the place of the original CSS.

What it does not:
- It will not speed up displaying of your web.

- It will not hide CSS rules in inspector (developer's tools) - but it don't mind, attacker will probably not copy all stuff by one rule.

Or http://htmlmuncher.com/: (Dead link, Github repository)

HTML Muncher is a command line utility written in Python that rewrites classes and ids in CSS, HTML, and JavaScript files in order to save precious bytes and obfuscate your code.

How it Works
1. You pass in a list of CSS, HTML, and JavaScript files to be rewritten

2. The CSS and JavaScript files are scanned to find any class and id references

3. The classes and ids are mapped to new classes and ids with 1 or 2 letter names (a, b, c ... aa, ab, ac ...)

4. The files are rewritten with the new class and id names and saved to a new location on disk

Minifying and Obsfucating CSS similar to Javascript

It is very difficult to 'minify' HTML or CSS because all that can safely be saved is white space (which doesn't amount to a huge saving). As for class renaming, you loose an important part of the web which is having semantic code (which represents meaning). I think the best option is to ensure that you have gzip compression enabled on your web server and focus on combining your assets into a single file wherever possible.

How can I obfuscate (protect) JavaScript?

Obfuscation:

Try YUI Compressor. It's a very popular tool, built, enhanced and maintained by the Yahoo UI team.

You may also use:

  • Google Closure Compiler
  • UglifyJS

UPDATE: This question was originally asked on 2008, and The mentioned technologies are deprecated. you can use:

  • terser - more information in web.dev.

Private String Data:

Keeping string values private is a different concern, and obfuscation won't really be of much benefit. Of course, by packaging up your source into a garbled, minified mess, you have a light version of security through obscurity. Most of the time, it's your user who is viewing the source, and the string values on the client are intended for their use, so that sort of private string value isn't often necessary.

If you really had a value that you never wanted a user to see, you would have a couple of options. First, you could do some kind of encryption, which is decrypted at page load. That would probably be one of the most secure options, but also a lot of work which may be unnecessary. You could probably base64 encode some string values, and that would be easier.. but someone who really wanted those string values could easily decode them. Encryption is the only way to truly prevent anyone from accessing your data, and most people find that to be more security than they need.

Sidenote:

Obfuscation in Javascript has been known to cause some bugs. The obfuscators are getting a little better about it, but many outfits decide that they see enough benefit from minifying and gzipping, and the added savings of obfuscation isn't always worth the trouble. If you're trying to protect your source, maybe you'll decide that it's worth your while, just to make your code harder to read. JSMin is a good alternative.

obfuscation tool for asp.net for html

You can't obfuscate HTML beyond what browsers will interpret. This means you can remove all white space to make things rather unpleasant to read, but this would be trivial to format back to neatly tabbed code.

Do you really have a HTML layout that is so unique you are worried it will be copied? Surely your IP is either in the content or in the application rather than in the HTML output.

Why does Google obscure HTML/CSS classes on Google+?

The source for unreadable identifiers can be:

  • minification
  • obfuscation
  • random Id generation

Google Plus is probably implemented as a GWT (or similar framework) application with minified resources (javascript and css files) and automatically generated identifiers. Minification is also widely used as a tool for obfuscating the code so the unreadability is partly intentional too.


Related Topics

Bad Value X-Ua-Compatible for Attribute Http-Equiv on Element Meta

Twitter Bootstrap: Center Pills

Configuring Android Web Applications

How to Correctly Use "Scoped" Styles in Vuejs Single File Components

How to Have Two Items on Opposite Sides on The Same Line

Maintain Image Aspect Ratio in Carousel

Link to Reload Current Page

Using: After to Clear Floating Elements

How to Define a Dynamic Mixin or Function Name in Sass

Achieving Sub Numbering on Ol Items HTML

Internet Explorer and Clip-Path

CSS Rounded Corners

How Is HTML5 Webstorage Data Physically Stored

How Many Characters Are Possible in an Input Field in HTML

Why Does Chrome 80 Cause This Grid-Template-Rows: Auto Problem

Tooltips for Button Elements

Adding Style to File Upload Button in CSS

Zebra Striping a Flexbox Table with Wrapping Items


Leave a reply



Submit