Disclosure: This post focuses on , a JavaScript protection product to which the author is affiliated (as CTO). Jscrambler Next.js is an open-source React-based framework built on top of Node.js that is aimed at developing web apps. It includes handy features such as hybrid static & server rendering, TypeScript support, smart bundling, and route pre-fetching. In the 2020 survey, Next.js was the second most used back-end framework (behind Express) but claimed the top spot when it came to satisfaction, with 92% of its users stating they are satisfied with the framework. State of JavaScript In this article, we’ll look at how you can integrate into your Next.js app development workflow. This will enable you to protect your JavaScript source code, through a combination of advanced obfuscation, code locks, anti-tampering, and anti-debugging. Jscrambler Prerequisites In order to properly integrate Jscrambler into your Next.js build process, there are two things we need to do first: and . Let's go through those steps. creating a Next.js app configuring Jscrambler Creating Your Next.js Application If you are not very experienced with Next.js yet, feel free to check their " ” tutorial before moving forward. We will actually be using this example app in our integration tutorial, so let’s install it: Create a Next.js App git clone https://github.com/JscramblerBlog/nextjs-jscrambler-integration-tutorial.git Now, let's install all app dependencies using npm: cd nextjs-jscrambler-integration-tutorial
npm i The (simplified) base project structure of our application is as follows: Next.js nextjs-jscrambler-integration-tutorial/
|-- package-lock.json
|-- package.json
|-- README.md
|-- .next
| |-- static/
| | |-- chunks/
| | | |-- pages/
|-- node_modules/
|-- pages/
|-- public/ contains all the configurations which are related to npm such as dependencies, version, and scripts. package.json The directory features all the source code of the application. The sources are then built and packed into the directory. This is where our protected HTML and JavaScript files will be placed after the build. pages .next/static/ The directory contains all publicly accessible files, such as images. public We can easily run a development server just to make sure that the app is running properly. npm run dev You will get a URL in the console with the development server and, after opening it, you should see the app running as shown below. And this is pretty much it in terms of our Next.js app. Let's move forward to protecting it with Jscrambler. Configuring Jscrambler If you haven't created a yet, be sure to do so before moving forward. Jscrambler account All of Jscrambler's configuration will reside inside a single file: . As such, we will need to create this file to specify which transformations we wish to use. .jscramblerrc The quickest way to achieve this is via the . Once there, create a new app. Now, check the and tabs to select the template or transformations you want to use to protect your code. In this tutorial, we'll be selecting the template. If you need help with these steps, please refer to our . Jscrambler Web App Templates Fine-Tuning Obfuscation guide Now, we simply have to download a , which will be used once for quickly getting the required settings. JSON file with all this configuration Now, let's create a new file named in the Next.js project’s root folder. Open the file we just downloaded and copy all its contents to the file. After that, we just have to add two new sections to , which are and (see below). Your final file should look like this: .jscramblerrc jscrambler.json .jscramblerrc .jscramblerrc filesSrc filesDest .jscramblerrc {
 "keys": {
   "accessKey": <ACCESS_KEY_HERE>,
   "secretKey": <SECRET_KEY_HERE>
 },
 "applicationId": <APP_ID_HERE>,
 "filesSrc": [
   "./.next/**/*.html",
   "./.next/**/*.js"
 ],
 "filesDest": "./",
"params": [
    {
      "name": "objectPropertiesSparsing"
    },
    {
      "name": "variableMasking"
    },
    {
      "name": "whitespaceRemoval"
    },
    {
      "name": "identifiersRenaming",
      "options": {
        "mode": "SAFEST"
      }
    },
    {
      "name": "globalVariableIndirection"
    },
    {
      "name": "dotToBracketNotation"
    },
    {
      "name": "stringConcealing"
    },
    {
      "name": "functionReordering"
    },
    {
      "options": {
        "freq": 1,
        "features": [
          "opaqueFunctions"
        ]
      },
      "name": "functionOutlining"
    },
    {
      "name": "propertyKeysObfuscation",
      "options": {
        "encoding": [
          "hexadecimal"
        ]
      }
    },
    {
      "name": "regexObfuscation"
    },
    {
      "name": "booleanToAnything"
    }
  ],
  "areSubscribersOrdered": false,
  "useRecommendedOrder": true,
  "jscramblerVersion": "<7.X>",
  "tolerateMinification": true,
  "profilingDataMode": "off",
  "useAppClassification": true,
  "browsers": {}
} Because we got this information directly via the Jscrambler Web App, our , and fields are already filled. If you wish to retrieve them manually, refer to our . accessKey secretKey applicationId guide It's important to note that the section specifies the transformations that will be used to protect your Next.js app. , by selecting them in the Web App or setting them manually. You can find documentation on all the available transformations . params These can be hand-picked by you here You can also change to match the files you need/want to protect. For our example—and all Next.js apps—we recommend protecting the and files. Certainly, with a better understanding of the project, you may identify what’s critical and essential protecting. filesSrc .html .js By using , the files we send to protect will be overwritten by their protected version. filesDest: './' Integrating Jscrambler in the Build Process Using the CLI is likely the most common way of generating your build. We will use our boilerplate app to showcase how to integrate Jscrambler into the build process. The first step of our integration with is installing the . Simply run: Jscrambler Jscrambler API Client npm i jscrambler --save-dev To integrate Jscrambler in our application's build process via the CLI, we need to create a CLI hook in the section of . The section should look like this: scripts package.json "scripts": {
    "dev": "next dev",
    "build": "next build && jscrambler",
    "start": "next start"
  }, The specific hook will trigger the command after the build process is finished. "build": "next build && jscrambler" jscrambler In order for this command to be executable, we need to make sure that the .jscramblerrc file that we created before is in our project's root folder. We are now ready to protect our code and build our application via the CLI: npm run build This will create the protected production files on . .next/static/ And you're done! Now all your HTML and JavaScript files are protected with Jscrambler against code theft and reverse-engineering. Remember that you can always fine-tune your protections to manage eventual performance hits. If that's the case, be sure to follow our tutorials on and . Code Annotations Profiling Testing the Protected Next.js App As a final step, let's check if the app is running successfully with the newly protected source code: npm run start Open the URL provided in the terminal and it will open up a server with the production files. Now, you can check what your protected code looks like. This can be achieved simply by opening the browser's debugger and opening the files from the "Sources" tab. The protected code should look like this: Conclusion Next.js has truly been a rising star in the web development ecosystem. The 4-year-old framework has been growing rapidly and bringing several welcome features for developers, making it much easier to release production-ready applications. If you're building Next.js applications which have sensitive logic, want to prevent , a security solution such as Jscrambler is a must. reverse engineering, licensing violations, and tampering Integrating Jscrambler into Next.js's build process is simple and enables protecting your code with the most sophisticated , , and capabilities. polymorphic obfuscation code locks self-defensive Previously published at https://blog.jscrambler.com/how-to-protect-next-js-apps-with-jscrambler/

2022 - HackerNoon Contributor of the Year - Security

Protect Your JavaScript

Nominated for 2022 - HackerNoon Contributor of the Year - Security

CTO and Co-Founder of Jscrambler

Too Long; Didn't Read

Get free API security automated scan in minutes

Secure Your Next.js Apps with Jscrambler

Too Long; Didn't Read

@Fortuna

RELATED STORIES