Skip to content

A package deeply inspired by PostCSS-Obfuscator but for Next.js.

License

Notifications You must be signed in to change notification settings

soranoo/next-css-obfuscator

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

82 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

NEXT-CSS-OBFUSCATOR

Project starts on 30-10-2023

Tests MIT LicenseΒ Β Β Donation

banner

npm version npm downloads


Visit the GitHub Page for better reading experience and latest docs. 😎


πŸŽ‰ Version 2.1.0 has NOW been released πŸŽ‰

Shout out to hoangnhan2ka3 for providing a πŸ’ͺwonderful issue report and a demo site.

πŸ“Œ Changes

  • Much Much Much better quality of CSS selector obfuscation
  • Delete original CSS automatically after obfuscation (only apply at full obfuscation)
  • Support TailwindCSS Universal Selector (eg. *:pt-4)
  • More tests

πŸ“Œ Configuration Changes

  • Removed customTailwindDarkModeSelector option, the dark mode selector will be automatically obfuscated at full obfuscation.
  • Merged includeAnyMatchRegexes and excludeAnyMatchRegexes options into whiteListedFolderPaths and blackListedFolderPaths options. (Directly move the regexes to the whiteListedFolderPaths and blackListedFolderPaths options)
  • Added removeOriginalCss option, default to false. Set to true to delete original CSS from CSS files if it has a obfuscated version.
  • classIgnore option now supports Regex.

πŸ’₯ Version 2 (Major Update)

This version is deeply inspired by PostCSS-Obfuscator. Shout out to n4j1Br4ch1D for creating such a great package and thank you tremor for sponsoring this project.

πŸ“Œ Changes

  • Support basic partial obfuscation
  • Support TailwindCSS Dark Mode
  • New configuration file next-css-obfuscator.config.cjs
  • More configuration options
  • Now become a independent solution (no need to patch PostCSS-Obfuscator anymore)
  • More tests
  • Better CSS parsing

πŸ“š Migration Guides

version 1.x README

Give me a ⭐ if you like it.

πŸ“– Table of Contents

πŸ€” Why this?

Because in the current version of PostCSS-Obfuscator does not work with Next.js. (see this issue for more details)

πŸ’‘ How does it work?

Where is the issue in PostCSS-Obfuscator?

PostCSS-Obfuscator will not edit the build files instead it will create a new folder and put the obfuscated source code files in it. This is where the issue is. Next.js will not recognize the obfuscated files and will not include them in the build. I tried to point Nextjs to build the obfuscated files (by simply changing the obfuscated source code folder to src) but it didn't work.

How does this package solve the issue?

Edit the build files directly. (It may not be the best solution but it works.)

How does this package work?

  1. Extract and parse CSS files from the build files.
  2. Obfuscate the CSS selectors and save to a JSON file.
  3. Search and replace the related class names in the build files with the obfuscated class names.

πŸ—οΈ Features

  • WORK WITH NEXT.JS !!!!!!!!!!!!!!!!!!!

Important

This package is NOT guaranteed to work with EVERYONE. Check the site carefully before using it in production.

Important

As a trade-off, the obfuscation will make your CSS files larger.

πŸ› οΈ Development Environment

Environment Version
OS Windows 11 & Ubuntu 22.04
Node.js v.18.17.1
NPM v.10.1.0
Next.js (Page Router) v.13.5.4 & v.13.4.1
Next.js (App Router) v.14.0.4
TailwindCSS v.3.3.3
  • βœ… Tested and works with Next.js Page Router and App Router.
  • βœ… Tested and works with Vercel.

(Theoretically it supports all CSS frameworks but I only tested it with TailwindCSS.)

πŸ“¦ Requirements

  • βŒ› TIME πŸ•›

πŸš€ Getting Started

Installation

npm install -D  next-css-obfuscator

Visit the npm page.

Setup

  1. Create and add the following code to next-css-obfuscator.config.cjs or next-css-obfuscator.config.ts:

    Obfuscate all files
    module.exports = {
        enable: true,
        mode: "random", // random | simplify | simplify-seedable
        refreshClassConversionJson: false, // recommended set to true if not in production
        allowExtensions: [".jsx", ".tsx", ".js", ".ts", ".html", ".rsc"],
      };
    Partially obfuscate
    module.exports = {
        enable: true,
        mode: "random", // random | simplify | simplify-seedable
        refreshClassConversionJson: false, // recommended set to true if not in production
        allowExtensions: [".jsx", ".tsx", ".js", ".ts", ".html", ".rsc"],
    
        enableMarkers: true,
      };
    TypeScript
    import { Options } from "next-css-obfuscator";
    
    module.exports = {
      // other options ...
    } as Options;

    Feel free to checkout πŸ“– Config Options Reference for more options and details.

    [!NOTE] The obfuscation will never work as expected, tweak the options with your own needs.

  2. Add the following code to package.json:

    "scripts": {
     // other scripts ...
     "obfuscate-build": "next-css-obfuscator"
     },

    Read πŸ’» CLI for more details.

Usage πŸŽ‰

  1. Run npm run build to build the project.
  2. Run npm run obfuscate-build to obfuscate the css files.

(You may need to delete the .next/cache folder before running npm run start to make sure the obfuscation takes effect. And don't forget to shift + F5 refresh the page.`)

Warning

NEVER run obfuscate-build twice in a row. It may mess up the build files and the obfuscation conversion table. You can remove the classConversionJsonFolderPath(default: css-obfuscator) folder to reset the conversion table.

Note

For better development experience, it is recommended to enable refreshClassConversionJson option in next-css-obfuscator.config.cjs and disable it in production.

For convenience, you may update your build script to:

// package.json

"scripts": {
  // other scripts ...
  "build": "next build && npm run obfuscate-build"
},

to make sure the build is always obfuscated and no need to run obfuscate-build manually.

Note

It is a good idea to add the /css-obfuscator folder to .gitignore to prevent the conversion table from being uploaded to the repository.

Partially obfuscate

To partially obfuscate your project, you have to add the obfuscate marker class to the components you want to obfuscate.

// example

export default function HomePage() {
  return (
    <main className="flex min-h-screen flex-col items-center justify-center bg-gradient-to-b from-[#fac3e3] to-[#5c9cbd] text-white">
      <div className="container flex flex-col items-center justify-center gap-12 px-4 py-16 ">
        <h1 className="text-5xl font-extrabold tracking-tight text-white sm:text-[5rem]">
          Next14 App Router
        </h1>
      </div>
-     <div className="container flex flex-col items-center justify-center gap-12 px-4 py-16 ">
+     <div className="next-css-obfuscation container flex flex-col items-center justify-center gap-12 px-4 py-16 ">
        <span className="text-2xl font-extrabold tracking-tight text-gray-700 border-2 border-blue-950 rounded-lg p-4">
          My classes are obfuscated
        </span>
      </div>
    </main>
  );
}

See Next 14 App Router Partially Obfuscated Demo for more details.

πŸ”§ My Setting

If you are interested in my setting (from my production site), here it is

// next-css-obfuscator.config.cjs

module.exports = {
  enable: true,
  mode: "random", // random | simplify | simplify-seedable
  refreshClassConversionJson: false, // recommended set to true if not in production
  allowExtensions: [".jsx", ".tsx", ".js", ".ts", ".html", ".rsc"],

  blackListedFolderPaths: [
    "./.next/cache",
    /\.next\/server\/pages\/api/,
    /_document..*js/,
    /_app-.*/,
    /__.*/, // <= maybe helpful if you are using Next.js Local Fonts [1*]
  ],
};

[*1] See this comment

It may not be the best setting but it works for me. :)

πŸ“– Config Options Reference

Option Type Default Description
enable boolean true Enable or disable the obfuscation.
mode "random" | "simplify" | "simplify-seedable" "random" Obfuscate mode,

random: Fixed size random class name

simplify: Alphabetic class name, like medium

simplify-seedable: Random dynamic size class name
buildFolderPath string "./.next" The folder path to store the build files built by Next.js.
classConversionJsonFolderPath string "./css-obfuscator" The folder path to store the before obfuscate and after obfuscated classes conversion table.
refreshClassConversionJson boolean false Refresh the class conversion JSON file(s) at every obfuscation. Good for setting tweaking but not recommended for production.
classLength number 5 The length of the obfuscated class name if in random mode.

It is not recommended to set the length to less than 4.
classPrefix string "" The prefix of the obfuscated class name.
classSuffix string "" The suffix of the obfuscated class name.
classIgnore (string | Regex)[ ] [ ] The class names to be ignored during obfuscation.
allowExtensions string[ ] [".jsx", ".tsx", ".js", ".ts", ".html", ".rsc"] The file extensions to be processed.
contentIgnoreRegexes RegExp[ ] [/.jsxs)("\w+"/g] The regexes to match the content to be ignored during obfuscation.
whiteListedFolderPaths (string | Regex)[ ] [ ] The folder paths/Regex to be processed. Empty array means all folders will be processed.
blackListedFolderPaths (string | Regex)[ ] [ ] The folder paths/Regex to be ignored.
enableMarkers boolean false Enable or disable the obfuscation markers.
markers string[ ] [ ] Classes that indicate component(s) need to obfuscate.
removeMarkersAfterObfuscated boolean true Remove the obfuscation markers from HTML elements after obfuscation.
removeOriginalCss boolean false Delete original CSS from CSS files if it has a obfuscated version. (NOT recommended using in partial obfuscation)
generatorSeed string "-1" The seed for the random class name generator. "-1" means use random seed.

For "random" and "simplify-seedable" mode only.
logLevel "debug" | "info" | "warn" | "error" | "success" "info" The log level.

Experimental Features Options 🚧

Option Type Default Description Stage
enableJsAst boolean false Whether to obfuscate JS files using abstract syntax tree parser.

contentIgnoreRegexes option will be ignored if this option is enabled.
Alpha

Note

The above options are still at the early stages of development and may not work as expected.

Open an issue if you encounter any issues.

Note

Stages -

  1. PoC: Proof of Concept. The feature is still in the concept stage and is not recommended in production.
  2. Alpha: The feature is still in the early stage of development and may not work as expected.
  3. Beta: The feature is almost completed and should work as expected but may have some issues. (if no issue is reported in a period, it will be considered stable.)
  4. Stable: The feature is in the final stage of development and should work as expected.

All options in one place πŸ“¦

// next-css-obfuscator.config.cjs

module.exports = {
    enable: true, // Enable or disable the plugin.
    mode: "random", // Obfuscate mode, "random", "simplify" or "simplify-seedable"
    buildFolderPath: ".next", // Build folder of your project.
    classConversionJsonFolderPath: "./css-obfuscator", // The folder path to store the before obfuscate and after obfuscated classes conversion table.
    refreshClassConversionJson: false, // Refresh the class conversion JSON file.

    classLength: 5, // Length of the obfuscated class name.
    classPrefix: "", // Prefix of the obfuscated class name.
    classSuffix: "", // Suffix of the obfuscated class name.
    classIgnore: [], // The class names to be ignored during obfuscation.
    allowExtensions: [".jsx", ".tsx", ".js", ".ts", ".html", ".rsc"], // The file extensions to be processed.
    contentIgnoreRegexes: [
        /\.jsxs\)\("\w+"/g, // avoid accidentally obfuscate the HTML tag
    ], // The regexes to match the file content to be ignored during obfuscation.

    whiteListedFolderPaths: [], // Only obfuscate files in these folders
    blackListedFolderPaths: ["./.next/cache"], // Don't obfuscate files in these folders
    enableMarkers: false, // Enable or disable the obfuscate marker classes.
    markers: ["next-css-obfuscation"], // Classes that indicate component(s) need to obfuscate.
    removeMarkersAfterObfuscated: true, // Remove the obfuscation markers from HTML elements after obfuscation.
    removeOriginalCss: false, // Delete original CSS from CSS files if it has a obfuscated version.
    generatorSeed: "-1", // The seed for the random generator. "-1" means use random seed.

    //! Experimental feature
    enableJsAst: false, // Whether to obfuscate JS files using abstract syntax tree parser (Experimental feature)

    logLevel: "info", // Log level
};

πŸ’» CLI

next-css-obfuscator --config ./path/to/your/config/file

πŸ’‘ Tips

1. Not work at Vercel after updated ?

If you are using this package with Vercel, you may find the package does not work as expected after being updated. This is because Vercel will cache the last build for a faster build time. To fix this you have to redeploy with the Use existing build cache option disabled.

2. Lazy Setup - Obfuscate all files

Enable enableMarkers and put the obfuscate marker class at every component included the index page. But if you want to set and forget, you must play with the options to ensure the obfuscation works as expected.

3. It was working normally just now, but not now?

Your conversion table may be messed up. Try to delete the classConversionJsonFolderPath(default: css-obfuscator) folder to reset the conversion table.

4. Why are some original selectors still in the obfuscated CSS file even the removeOriginalCss option is set to true?

In a normal situation, the package will only remove the original CSS that is related to the obfuscation and you should not see any CSS sharing the same declaration block.

You are not expected to see this:

/* example.css */

/* original form */
.text-stone-300 {
  --tw-text-opacity: 1;
  color: rgb(214 211 209 / var(--tw-text-opacity));
}

/* obfuscated form */
.d8964 {
  --tw-text-opacity: 1;
  color: rgb(214 211 209 / var(--tw-text-opacity));
}

But this:

/* example.css */

/* obfuscated form */
.d8964 {
  --tw-text-opacity: 1;
  color: rgb(214 211 209 / var(--tw-text-opacity));
}

If you encounter the first situation, it means something is wrong with the obfuscation. You may need to raise an issue with your configuration and the related code.

5. Why did I get a copy of the original CSS after partial obfuscation?

Since the original CSS may be referenced by other components not included in the obfuscation, the package will not remove the original CSS to prevent breaking the the site.

6. How to deal with CSS cache in PaaS like Vercel?

(I will take Vercel as an example)

You may discover that the obfuscated class conversion table updates every time you deploy your site to Vercel even if the refreshClassConversionJson option is set to false. As a result, the CSS file will update in every deployment and break the CDN cache. This is because Vercel will not keep the files generated by the previous deployment. To fix this, you can simply provide a fixed generatorSeed to make sure the obfuscated class name will be the same as the previous.

7. When to use enableJsAst?

If you are going to partially obfuscate your site, you may want to enable this option to obfuscate. It gives the ability to trace the variable that is related to the class name in a JS file which the normal basic partial obfuscation can't do. (WIP)

Important

Note that if a shared component is under the obfuscation marker, that component will be obfuscated and may affect other components(with no obfuscation marker) that use the same shared component.

If you are going to obfuscate the whole site, you will get a way more accurate obfuscation by enabling this option without putting a ton of time into tweaking the options.

Note

As a trade-off, this will take more time to obfuscate.

Note

This method can only trace the variable within the same JS file. It can't trace the variable that is imported from another file.

πŸ‘€ Demos

  1. Next 14 App Router
  2. Next 14 App Router Partially Obfuscated
  3. hoangnhan.co.uk (BY hoangnhan2ka3)

⭐ TODO

  • Partial obfuscation
  • To be a totally independent package (remove dependency on PostCSS-Obfuscator)
  • More tests
  • More demos ?

πŸ› Known Issues

  • Partial Obfuscation
    • Not work with complex components. (eg. A component with shared component(s))
      • Reason: The obfuscation marker can't locate the correct code block to obfuscate.
    • Potential Solution: track the function/variable call stack to locate the correct code block to obfuscate.

πŸ’– Sponsors

Organizations (1)


tremor

Individuals (0)

🦾 Special Thanks


hoangnhan2ka3

🀝 Contributing

Contributions are welcome! If you find a bug or have a feature request, please open an issue. If you want to contribute code, please fork the repository and run npm run test before submit a pull request.

πŸ›οΈ Commercial Usage

IndividualπŸ•Ί

Are you using this package for a personal project? That's great! You can support us by starring this repo on Github ⭐🌟⭐.

Organization πŸ‘―β€β™‚οΈ

Are you using this package within your organization and generating revenue from it? Fantastic! We depend on your support to continue developing and maintaining the package under an MIT License. You might consider showing your support through Github Sponsors.

πŸ“ License

This project is licensed under the MIT License - see the LICENSE file for details

⭐ Star History

Star History Chart

β˜• Donation

Love it? Consider a donation to support my work.

"Donation" <- click me~