I'm currently developing a fully-browser-based game (a la Cookie Clicker) and I'm trying to minimize the possibility of users exploiting the visible JavaScript to cheat their game saves. For the sake of explanation, let's look at a hypothetical function;
let user = {
money: 0
};
function addMoney(amount) {
user.money += amount;
}
If this were a real function in my game, any user could simply pop open the developer console, type addMoney(1e100), and instantly ruin any possibility of competitiveness among my potential player-base.
I'd like to know if there's any way to disable external JavaScript input (be it through the developer console or through the use of javascript:() injections within the address bar) and if such a thing doesn't exist, is it at least possible to detect external JavaScript as opposed to JavaScript that was executed internally by the site itself?
Say no more:
If a 'cheater' is sufficiently determined (and skilled), you won't stop them, but obfuscating/minfying the code will make it much more difficult and deter the vast majority of them - certainly the casual ones. There are many available tools for doing that, and it is very easy to do..
This is a very good one to use:
https://developers.google.com/closure/compiler/