• Only obfuscate your own code.

  Don't VM-obfuscate vendor scripts, libraries, or polyfills. They're already minified and obfuscation will just slow them down.

• Use comment mode for surgical protection.

  Mark only sensitive functions with /* javascript-obfuscator:vm */ instead of protecting everything.

• Test thoroughly after obfuscation.

  Always test obfuscated code in your target environment. Some options can break code in subtle ways.

• Exclude hot paths from VM obfuscation.

  Use vmExcludeFunctions for animation loops, real-time rendering, or frequently called code.

Obfuscation makes reverse engineering harder, but it is not encryption. A determined attacker can always extract data from client-side code.

Instead, you should:

• Store secrets on your backend server
• Use environment variables server-side
• Proxy API calls through your backend to hide keys
• Use short-lived tokens issued by your server

VM obfuscation is ideal for:

• Proprietary algorithms and business logic
• License validation code (client-side checks)
• Anti-tampering and integrity checks
• Game logic and anti-cheat mechanisms
• Premium feature implementations
• Pricing calculation logic