The stringArray option is enabled by default and is the foundation of most obfuscation. It extracts string literals and places them in a special array.

// Before
const message = "Hello World";
const endpoint = "/api/users";

// After (with stringArray)
const _0x1a2b = ['Hello World', '/api/users'];
const message = _0x1a2b[0x0];
const endpoint = _0x1a2b[0x1];

Transforms the code structure to hide the original program flow. Makes manual analysis much harder by converting linear code into a state machine with a switch statement.

// Before
function process() {
    step1();
    step2();
    step3();
}

// After (flattened)
function process() {
    var state = '0|1|2'.split('|'), i = 0;
    while (true) {
        switch (state[i++]) {
            case '0': step1(); continue;
            case '1': step2(); continue;
            case '2': step3(); continue;
        }
        break;
    }
}

You can selectively disable obfuscation for specific parts of your code using special comments:

// This code WILL be obfuscated
var secret = 'protected';

// javascript-obfuscator:disable
var config = {
    apiUrl: 'https://api.example.com',  // Stays readable
    version: '1.0.0'
};
// javascript-obfuscator:enable

// Obfuscation resumes here
function sensitiveLogic() { ... }