NEXT-CSS-OBFUSCATOR

Project starts on 30-10-2023

!Tests    


 

---

Visit the GitHub Page for better reading experience and latest docs. 😎

---

$3

>[!IMPORTANT]\
> This version is a major update and has breaking changes. Please read the migration guide carefully before upgrading.

>[!TIP]\
> Don't upgrade to this version unless you are using TailwindCSS 4.0.0 or above. "If it works, don't touch it." :)

#### 📌 Feature Changes

- Support TailwindCSS 4.
- Support nested CSS.
- Support CSS idents obfuscation.

#### 📌 Configuration Changes

- enableJsAst option is now enabled by default.
- Default generatorSeed not longer fixed to -1, but a random string.
- simplify-seedable mode is not longer supported. Use random mode instead.
- Removed includeAnyMatchRegexes and excludeAnyMatchRegexes options, the whiteListedFolderPaths and blackListedFolderPaths options will be used instead.
- Deprecated classLength option, not longer supported.
- Added ignorePatterns option to ignore the class names and idents that match the regexes or strings.
- Not longer preserve TailwindCSS dark mode class names (ie .dark). Add the dark mode class name to the ignorePatterns.selectors option to preserve it.
- Merge classIgnore into ignorePatterns.selectors option.
- Renamed classPrefix and classSuffix to prefix and suffix.

$3

This version is deeply inspired by PostCSS-Obfuscator. Shout out to n4j1Br4ch1D for creating such a great package and thank you tremor for sponsoring this project.

#### 📌 Changes

- Support basic partial obfuscation
- Support TailwindCSS Dark Mode
- New configuration file next-css-obfuscator.config.cjs
- More configuration options
- Now become a independent solution (no need to patch PostCSS-Obfuscator anymore)
- More tests
- Better CSS parsing

$3

- Migrate from version 1.x to 2.x
- Migrate from version 2.x to 3.x

version 1.x README

version 2.x README

Give me a ⭐ if you like it.

📖 Table of Contents

- 🤔 Why this?
- 💡 How does it work?
- Where is the issue in PostCSS-Obfuscator?
- How does this package solve the issue?
- How does this package work?
- 🗝️ Features
- 🛠️ Development Environment
- 📦 Requirements
- 🚀 Getting Started
- Installation
- Setup
- Usage 🎉
- 🔧 My Setting
- 📖 Config Options Reference
- 💻 CLI
- 💡 Tips
- 1. Not work at Vercel after updated
- 2. Lazy Setup - Obfuscate all files
- 3. It was working normally just now, but not now?
- 4. Why are some original selectors still in the obfuscated CSS file even the removeOriginalCss option is set to true?
- 5. Why did I get a copy of the original CSS after partial obfuscation?
- 6. How to deal with CSS cache in PaaS like Vercel?
- 7. When to use enableJsAst?
- 👀 Demos
- ⭐ TODO
- 🐛 Known Issues
- 💖 Sponsors
- 🦾 Special Thanks
- 🤝 Contributing
- 🏛️ Commercial Usage
- 📝 License
- ☕ Donation

🤔 Why this?

Because in the current version of PostCSS-Obfuscator does not work with Next.js. (see this issue for more details)

💡 How does it work?

$3

PostCSS-Obfuscator will not edit the build files instead it will create a new folder and put the obfuscated source code files in it. This is where the issue is. Next.js will not recognize the obfuscated files and will not include them in the build. I tried to point Nextjs to build the obfuscated files (by simply changing the obfuscated source code folder to src) but it didn't work.

$3

Edit the build files directly. (It may not be the best solution but it works.)

$3

1. Extract and parse CSS files from the build files.
2. Obfuscate the CSS selectors and save to a JSON file.
3. Search and replace the related class names in the build files with the obfuscated class names.

🗝️ Features

- WORK WITH NEXT.JS !!!!!!!!!!!!!!!!!!!

> [!IMPORTANT]\
> This package is NOT guaranteed to work with EVERYONE. Check the site carefully before using it in production.

> [!IMPORTANT]\
> As a trade-off, the obfuscation will make your CSS files larger.

🛠️ Development Environment

| Environment | Version |
| --------------------- | ------------------------- |
| OS | Windows 11 & Ubuntu 22.04 |
| Node.js | v.18.17.1 |
| NPM | v.10.1.0 |
| Next.js (Page Router) | v.13.5.4 & v.13.4.1 |
| Next.js (App Router) | v.14.0.4 |
| TailwindCSS | v.3.3.3 |

- ✅ Tested and works with Next.js Page Router and App Router.
- ✅ Tested and works with Vercel.

(Theoretically it supports all CSS frameworks but I only tested it with TailwindCSS.)

📦 Requirements

- ⌛ TIME 🕛

🚀 Getting Started

$3

``bash
npm install -D next-css-obfuscator
`

Visit the npm page.

$3

1. Create and add the following code to next-css-obfuscator.config.cjs or next-css-obfuscator.config.ts:

##### Obfuscate all files

`javascript
/* @type {import("next-css-obfuscator").Options} /
module.exports = {
enable: true,
mode: "random", // random | simplify
refreshClassConversionJson: false, // recommended set to true if not in production
allowExtensions: [".jsx", ".tsx", ".js", ".ts", ".html", ".rsc"],
};

`

##### Partially obfuscate

> [!CAUTION]\
> Partially obfuscate can be EXTREMELY buggy. Be cautious when using this feature.

`javascript
/* @type {import("next-css-obfuscator").Options} /
module.exports = {
enable: true,
mode: "random", // random | simplify
refreshClassConversionJson: false, // recommended set to true if not in production
allowExtensions: [".jsx", ".tsx", ".js", ".ts", ".html", ".rsc"],

enableMarkers: true,
};

`

Feel free to checkout 📖 Config Options Reference for more options and details.

> [!TIP]\
> The obfuscation will never work as expected, tweak the options with your own needs.

2. Add the following code to package.json:

`javascript
"scripts": {
// other scripts ...
"obfuscate-build": "next-css-obfuscator"
},
`

Read 💻 CLI for more details.

$3

1. Run npm run build to build the project.
2. Run npm run obfuscate-build to obfuscate the css files.

(You may need to delete the .next/cache folder before running npm run start to make sure the obfuscation takes effect. And don't forget to shift + F5 refresh the page.)

> [!WARNING]\
> NEVER run obfuscate-build twice in a row. It may mess up the build files and the obfuscation conversion table. You can remove the classConversionJsonFolderPath(default: css-obfuscator) folder to reset the conversion table.

> [!NOTE]\
> For better development experience, it is recommended to enable refreshClassConversionJson option in next-css-obfuscator.config.cjs and disable it in production.

For convenience, you may update your build script to:

``javascript
// package.json

"scripts": {
// other scripts ...
"build": "next build && npm run obfuscate-build"
},
`

to make sure the build is always obfuscated and no need to run obfuscate-build manually.

> [!NOTE]\
> It is a good idea to add the /css-obfuscator folder to .gitignore to prevent the conversion table from being uploaded to the repository.

#### Partially obfuscate

To partially obfuscate your project, you have to add the obfuscate marker class to the components you want to obfuscate.

`diff
// example

export default function HomePage() {
return (


`javascript
// next-css-obfuscator.config.cjs

/* @type {import("next-css-obfuscator").Options} /
module.exports = {
enable: true,
mode: "random", // random | simplify
refreshClassConversionJson: false, // recommended set to true if not in production
allowExtensions: [".jsx", ".tsx", ".js", ".ts", ".html", ".rsc"],

blackListedFolderPaths: [
"./.next/cache",
/\.next\/server\/pages\/api/,
/_document..*js/,
/_app-.*/,
/__./, // <= maybe helpful if you are using Next.js Local Fonts [1]
],
};
`

[*1] See this comment

It may not be the best setting but it works for me. :)

📖 Config Options Reference

| Option | Type | Default | Description |
| ---------------------------- | ----------------------------------------------------------- | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------- |
| enable | boolean | true | Enable or disable the obfuscation. |
| mode | "random" \| "simplify" | "random" | Obfuscate mode,

random: Fixed size random class name

simplify: Alphabetic class name, like medium|
|buildFolderPath|string|"./.next"|The folder path to store the build files built by Next.js.|
|classConversionJsonFolderPath|string|"./css-obfuscator"|The folder path to store the before obfuscate and after obfuscated classes conversion table.|
|refreshClassConversionJson|boolean|false|Refresh the class conversion JSON file(s) at every obfuscation. Good for setting tweaking but not recommended for production.|
|prefix.selectors|string|""|The prefix of the obfuscated classname.|
|prefix.idents|string|""|The prefix of the obfuscated ident name.|
|suffix.selectors|string|""|The suffix of the obfuscated classname.|
|suffix.idents|string|""|The suffix of the obfuscated ident name.|
|ignorePatterns|{selectors: [], idents: []}|{selectors: [], idents: []}|The patterns to be ignored during obfuscation.|
|allowExtensions|string[ ]|[".jsx", ".tsx", ".js", ".ts", ".html", ".rsc"]|The file extensions to be processed.|
|contentIgnoreRegexes|RegExp[ ]|[/\.jsxs\)\("\w+"/g]|The regexes to match the content to be ignored during obfuscation.|
|whiteListedFolderPaths|string \| Regex|[ ]|The folder paths/Regex to be processed. Empty array means all folders will be processed.|
|blackListedFolderPaths|string \| Regex|[ ]|The folder paths/Regex to be ignored.|
|enableMarkers|boolean|false|Enable or disable the obfuscation markers.|
|markers|string[ ]|[ ]|Classes that indicate component(s) need to obfuscate.|
|removeMarkersAfterObfuscated|boolean|true|Remove the obfuscation markers from HTML elements after obfuscation.|
|removeOriginalCss|boolean|false|Delete original CSS from CSS files if it has a obfuscated version. (NOT recommended using in partial obfuscation)
|generatorSeed|string \| undefined|{random string}|The seed for the random class name generator. "undefined" means use random seed.

For "random" mode only. |
|logLevel|"debug" \| "info" \| "warn" \| "error" \| "success"| "info"|The log level.|

$3

| Option| Type| Default| Description| Stage |
| - | - | - | - | - |
|enableJsAst|boolean|true|Whether to obfuscate JS files using abstract syntax tree parser.

contentIgnoreRegexes option will be ignored if this option is enabled.|Alpha|

> [!NOTE]\
> The above options are still at the early stages of development and may not work as expected.
>
> Open an issue if you encounter any issues.

> [!NOTE]\
> Stages -
>
> 1. PoC: Proof of Concept. The feature is still in the concept stage and is not recommended in production.
> 2. Alpha: The feature is still in the early stage of development and may not work as expected.
> 3. Beta: The feature is almost completed and should work as expected but may have some issues. (if no issue is reported in a period, it will be considered stable.)
> 4. Stable: The feature is in the final stage of development and should work as expected.

$3

`js
// next-css-obfuscator.config.cjs

module.exports = {
enable: true, // Enable or disable the plugin.
mode: "random", // Obfuscate mode, "random", "simplify" or "simplify-seedable".
buildFolderPath: ".next", // Build folder of your project.
classConversionJsonFolderPath: "./css-obfuscator", // The folder path to store the before obfuscate and after obfuscated classes conversion table.
refreshClassConversionJson: false, // Refresh the class conversion JSON file.

/**
* @deprecated Not longer used from v3.0.0 and will be removed in the next major version.
*/
classLength: 5, // Length of the obfuscated class name.

/**
* @deprecated Merged into prefix from v3.0.0 and will be removed in the next major version.
*/
classPrefix: "", // Prefix of the obfuscated class name.

/**
* @deprecated Merged into suffix from v3.0.0 and will be removed in the next major version.
*/
classSuffix: "", // Suffix of the obfuscated class name.

prefix: {
selectors: "", // Prefix of the obfuscated classname.
idents: "", // Prefix of the obfuscated ident name.
},
suffix: {
selectors: "", // Suffix of the obfuscated classname.
idents: "", // Suffix of the obfuscated ident name.
},

/**
* @deprecated Merged into ignorePatterns.selectors from v3.0.0 and will be removed in the next major version.
*/
classIgnore: [], // The class names to be ignored during obfuscation.
ignorePatterns: { // The patterns to be ignored during obfuscation.
selectors: [], // The selectors to be ignored during obfuscation.
idents: [], // The idents to be ignored during obfuscation.
},

allowExtensions: [".jsx", ".tsx", ".js", ".ts", ".html", ".rsc"], // The file extensions to be processed.
contentIgnoreRegexes: [
/\.jsxs\)\("\w+"/g, // avoid accidentally obfuscate the HTML tag
], // The regexes to match the file content to be ignored during obfuscation.

whiteListedFolderPaths: [], // Only obfuscate files in these folders
blackListedFolderPaths: ["./.next/cache"], // Don't obfuscate files in these folders
enableMarkers: false, // Enable or disable the obfuscate marker classes.
markers: ["next-css-obfuscation"], // Classes that indicate component(s) need to obfuscate.
removeMarkersAfterObfuscated: true, // Remove the obfuscation markers from HTML elements after obfuscation.
removeOriginalCss: false, // Delete original CSS from CSS files if it has a obfuscated version.
generatorSeed: undefined, // The seed for the random generator. "undefined" means use random seed.

/**
* Experimental feature
*/
enableJsAst: true, // Whether to obfuscate JS files using abstract syntax tree parser. (Experimental feature)

logLevel: "info", // Log level
};
`

💻 CLI

`bash
next-css-obfuscator --config ./path/to/your/config/file
`

💡 Tips

$3

If you are using this package with Vercel, you may find the package does not work as expected after being updated. This is because Vercel will cache the last build for a faster build time. To fix this you have to redeploy with the Use existing build cache option disabled.

$3

Enable enableMarkers and put the obfuscate marker class at every component included the index page. But if you want to set and forget, you must play with the options to ensure the obfuscation works as expected.

$3

Your conversion table may be messed up. Try to delete the classConversionJsonFolderPath(default: css-obfuscator) folder to reset the conversion table.

$3

In a normal situation, the package will only remove the original CSS that is related to the obfuscation and you should not see any CSS sharing the same declaration block.

You are not expected to see this:

`css
/ example.css /

/ original form /
.text-stone-300 {
--tw-text-opacity: 1;
color: rgb(214 211 209 / var(--tw-text-opacity));
}

/ obfuscated form /
.d8964 {
--d89645: 1;
color: rgb(214 211 209 / var(--d89645));
}
`

But this:

`css
/ example.css /

/ obfuscated form /
.d8964 {
--d89645: 1;
color: rgb(214 211 209 / var(--d89645));
}
`

If you encounter the first situation, it means something is wrong with the obfuscation. You may need to raise an issue with your configuration and the related code.

$3

Since the original CSS may be referenced by other components not included in the obfuscation, the package will not remove the original CSS to prevent breaking the the site.

$3

(I will take Vercel as an example)

You may discover that the obfuscated class conversion table updates every time you deploy your site to Vercel even if the refreshClassConversionJson option is set to false. As a result, the CSS file will update in every deployment and break the CDN cache. This is because Vercel will not keep the files generated by the previous deployment. To fix this, you can simply provide a fixed generatorSeed to make sure the obfuscated class name will be the same as the previous.

$3

~~If you are going to partially obfuscate your site, you may want to enable this option to obfuscate. It gives the ability to trace the variable that is related to the class name in a JS file which the normal basic partial obfuscation can't do.~~ (WIP)

> [!IMPORTANT]
> Note that if a shared component is under the obfuscation marker, that component will be obfuscated and may affect other components(with no obfuscation marker) that use the same shared component.

If you are going to obfuscate the whole site, you will get a way more accurate obfuscation by enabling this option without putting a ton of time into tweaking the options.

> [!NOTE]
> As a trade-off, this will take more time to obfuscate.

> [!NOTE]
> This method can only trace the variable within the same JS file. It can't trace the variable that is imported from another file.

👀 Demos

1. Next 14 App Router
2. Next 14 App Router Partially Obfuscated
3. hoangnhan.co.uk (BY hoangnhan2ka3)

⭐ TODO

- [x] Partial obfuscation
- [x] To be a totally independent package (remove dependency on PostCSS-Obfuscator)
- [ ] More tests
- [ ] More demos ?

🐛 Known Issues

- [ ] Partial Obfuscation
- Not work with complex components. (eg. A component with shared component(s))
- Reason: The obfuscation marker can't locate the correct code block to obfuscate.
- Potential Solution: track the function/variable call stack to locate the correct code block to obfuscate.

💖 Sponsors

Thank you to all the sponsors who support this project.

#### Organizations (1)

tremor

#### Individuals (1)

nhannt201

🦾 Special Thanks

hoangnhan2ka3

🤝 Contributing

Contributions are welcome! If you find a bug or have a feature request, please open an issue. If you want to contribute code, please fork the repository and run npm run test` before submit a pull request.

🏛️ Commercial Usage

#### Individual🕺

Are you using this package for a personal project? That's great! You can support us by starring this repo on Github ⭐🌟⭐.

#### Organization 👯‍♂️

Are you using this package within your organization and generating revenue from it? Fantastic! We depend on your support to continue developing and maintaining the package under an MIT License. You might consider showing your support through Github Sponsors.

📝 License

This project is licensed under the MIT License - see the LICENSE file for details

⭐ Star History


☕ Donation

Love it? Consider a donation to support my work.

 <- click me~