npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

pua-font-obfuscator

v0.1.1

Published

Server-side HTML font obfuscation library.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

tsukasa-utsukasa-u

Keywords

font-obfuscationhtml-obfuscationserver-sidessrpuaunicodewebfont

Readme

PUA Font Obfuscator

Language:

PUA Font Obfuscator is a server-side HTML obfuscation library. It remaps selected text to PUA code points and injects a one-time font ticket, so text remains readable on screen but harder to extract from copied raw text.

Quick Start

Step 1: Install

pnpm add pua-font-obfuscator

Step 2: Wrap your HTML response handler

import { FontObfuscator, withFetchObfuscation } from "pua-font-obfuscator";

const obfuscator = new FontObfuscator({
  fontUrl: "https://.../NotoSansJP[wght].ttf",
  fontRoutePrefix: "/_obf/font",
});

const handler = withFetchObfuscation(
  async () =>
    new Response("<html><head></head><body><p class='secret'>Hello</p></body></html>", {
      headers: { "content-type": "text/html; charset=utf-8" },
    }),
  obfuscator,
  { selectors: [".secret"] },
);

Step 3: If you are not using adapter wrappers, handle font token requests early

const fontRes = await obfuscator.maybeHandleFontRequest(req);
if (fontRes) return fontRes;

What To Obfuscate

  • Obfuscate only sensitive server-rendered text (minimal selector scope).
  • Keep normal app state in framework-native state management.
  • Do not treat hydration-managed or client-side DOM updates as obfuscation guarantees.
  • Treat dynamic state transitions as a design boundary: when state values are sensitive, compute the next state on the server and return only obfuscated strings to the client.
  • Keep client-side state updates for ergonomics only (non-sensitive UI state). Do not assume client-side transitions are protected just because the initial HTML was obfuscated.

Core APIs

Choose APIs by use case rather than memorizing a flat list.

1) Baseline APIs

  • new FontObfuscator(options) Use: create the obfuscator instance.
  • obfuscateHtml(html, { selectors }) Use: one-shot server-side obfuscation for an HTML string.
  • maybeHandleFontRequest(request) Use: early return for /_obf/font/... ticket requests.

2) Cached static templates

  • precomputeHtml(html, { selectors }) Use: precompute once for mostly-static templates.
  • servePrecomputed(precomputedPage, options?) Use: per-request ticket injection from the precomputed template.

3) Dynamic SSR pages

  • precomputeMapping(hintHtml?) Use: prepare mapping ahead of runtime rendering.
  • getRotatingMapping(hintHtml?) Use: get rotation-aware mapping for better replay resistance.
  • serveWithMapping(html, selectors, precomputedMapping, options?) Use: obfuscate request-time HTML with a known mapping.

Obfuscated Dictionary / State Helpers

Use these helpers when you want framework-friendly i18n/state structures while keeping client payload values obfuscated.

  • encodeText(text, mapping, options?) Use: obfuscate a single string.
  • preEncodeShuffled(values, mapping, options?) Use: pre-obfuscate value arrays with shuffle + decoys.
  • obfuscateDictionary(dict, mapping, options?) Use: obfuscate values of a flat string dictionary.
  • obfuscateI18nDictionary(dictionaries, mapping, options?) Use: obfuscate nested language dictionaries ({ ja, en, ... }).
  • obfuscateStringLeaves(state, mapping, options?) Use: obfuscate only string leaves in JSON-like state.

obfuscateStringLeaves leaves numbers and booleans untouched. Do not treat client-visible numeric state or counters as protected data; if a numeric transition matters, compute it server-side and return the next obfuscated string instead.

import {
  FontObfuscator,
  obfuscateI18nDictionary,
  obfuscateStringLeaves,
} from "pua-font-obfuscator";

const obfuscator = new FontObfuscator({ fontUrl: "https://.../font.ttf" });
const pm = await obfuscator.getRotatingMapping("<p>hint text</p>");

const obfI18n = obfuscateI18nDictionary(
  {
    ja: { title: "こんにちは" },
    en: { title: "Hello" },
  },
  pm.mapping,
  { variants: pm.variants, variantSeed: pm.seed },
);

const obfState = obfuscateStringLeaves(
  { status: "idle", phase: "review", labels: ["Start", "Done"] },
  pm.mapping,
  { variants: pm.variants, variantSeed: pm.seed },
);

5) Framework wrappers

  • obfuscateHtmlResponse(response, obfuscator, options) Use: post-process an existing Response.
  • withFetchObfuscation(...) Use: generic Fetch handler wrapper.
  • withNextRouteHandlerObfuscation(...) Use: Next.js Route Handler wrapper.
  • withRemixRequestHandlerObfuscation(...) Use: Remix request handler wrapper.
  • withAstroEndpointObfuscation(...) Use: Astro endpoint wrapper.
  • withSvelteKitHandleObfuscation(...) Use: SvelteKit handle wrapper.
  • withHonoObfuscation(...) Use: Hono handler wrapper.

Type exports (such as FontObfuscatorOptions) are available via TypeScript autocomplete. If you need the full export surface, see lib/index.ts.

PUA Capacity Modes

FontObfuscator supports puaPlaneMode to choose PUA pool capacity.

  • bmp (default): BMP PUA only (6400)
  • bmp+supplementary: BMP + Supplementary PUA Plane 15/16 (137468)
const obfuscator = new FontObfuscator({
  fontUrl: "https://.../NotoSansJP[wght].ttf",
  fontRoutePrefix: "/_obf/font",
  puaPlaneMode: "bmp+supplementary",
});

Supplementary mode is experimental. Validate rendering on your target devices before production.

Adapter Helpers

  • Generic Fetch: withFetchObfuscation, obfuscateHtmlResponse
  • Next.js: withNextRouteHandlerObfuscation
  • Remix: withRemixRequestHandlerObfuscation
  • Astro: withAstroEndpointObfuscation
  • SvelteKit: withSvelteKitHandleObfuscation
  • Hono: withHonoObfuscation

Security Notes

  • This library raises extraction cost; it is not DRM.
  • Apply on server-rendered HTML responses.
  • Keep token/session TTL short for better resistance.
  • Avoid leaking plaintext in API payloads or embedded JSON.
  • Avoid client-visible numeric counters or arithmetic-derived state when you are trying to protect dynamic values; return the next obfuscated string from the server instead.
  • Apply the same caution to non-numeric state as well: status/flags/labels can also leak transition patterns if the client computes or exposes them directly.

Examples

See examples/README.md.

  • Next/Nuxt/Remix separate / interactive UI/state demos from /protected obfuscated HTML demos.
  • Astro separates / client-side DOM updates from /pre-encoded obfuscated HTML demos.
  • The Vue sample is SSR-only.

Local Verification

pnpm build
pnpm verify:examples
pnpm exec tsx scripts/playwright-browser-test.ts