Securing our Property or how to make a HTML5/JS-Game safe


From the very beginning VEmpire has been built as a HTML5-Game coded in JavaScript.
We are planning to convert the game for the different target-platforms into native-apps, with several different approaches that already exist.
Because VEmpire is a digital card game, a Deckbuilding-Game to be more accurate, it was clear that touch-devices should be on the top of our prior target device list simply because they are great for card games!
More on how we’ll convert to those platforms and why we have chosen this approach will be published in one of our next posts.


Let’s focus on the Web-Version of the game for now because it is all about the Alpha of the game here, and this will exist only as web-application.

We always wanted to build a great Web-Version of the game, one that is impressive without any plugin, after 2 years of development I’ve a good feeling about this, we will prove this (hopefully!), because although it is “just” an Alpha, it is intended to be already great, without any excuses.

The VEmpire Web-Version does not need a permanent internet connection, once it is loaded.
This simply means that you can play, without the need to login, against the AI. But only if you’re logged in successfully (Online-Mode) you can access leaderboards, other server-side stuff and most important: play against others (PvP Duels).

VEmpire-Alpha comes without Online-Mode initially!

Client-Side Security, How ?

Although web-applications have, without any doubt, lots of advantages in comparison to native applications, there are some serious drawbacks!
And serious is a good word here, because security is a big disadvantage when it comes to web-apps and its client-side JavaScript-Code.
(We will not cover server-side security and data-transfer security issues here, this will be in one of the next posts where we will talk in detail about how to use SSL(https)!)

Because JavaScript is sent in clear text our intellectual property is exposed, which is…. not so good!
Although it is not possible to secure the client-code 100%, simply because the browser needs to interpret the code at the end, there are ways that make life much harder for hackers and attackers.

Jscrambler, a lucky solution?

After evaluating some free tools that minify and obfuscate JavaScript-Code we decided to go with Jscrambler, a professional solution, because of the frustration with those “free” solutions for, believe me, a lot of reasons, just two:

  • Most of this tools just does not even work (with more complex code!)
  • A free obfuscator is not always free as you can read about here

Furthermore Jscrambler comes with great additional features to secure our code, not just compression and obfuscation.

Obfuscation which makes the code unreadable to humans is just the first step in securing a JavaScript application. Jscrambler comes with 2 additional features which are promising:

  • “Code-Traps” which forces the app to only execute in certain domains and makes the code expire if placed elsewhere.
  • Self Defending capabilities that prevent tampering-attacks (modifications in the debugger! e.g.: modifying the score!)

Honestly we need exactly all of this for VEmpire if we want to prevent that:

  • Our code could be stolen easily!
  • Players can cheat!

In the next post we’ll report about our first steps with Jscrambler, so stay tuned!

Best Regards Wolfgang

Author admin
Categories Allgemein
Views 3994

Comments (2)

Leave a Reply

  • العاب
    15. January 2016 at 16:54
    Thank you for this great information regarding HTML5 games, was looking for it :)
  • Mobile Game Graphics
    21. January 2016 at 6:36
    Nice HYML5 game. It good..