WebAssembly Protection for Blazor
Shield provides specialized protection for Blazor WebAssembly applications, securing your client-side .NET code that runs directly in the browser.
Understanding Blazor WebAssembly Security Challenges
Blazor WebAssembly applications compile your C# code to WebAssembly (WASM), allowing it to run directly in the browser. This presents unique security challenges:
- The compiled WASM code is delivered to the client's browser
- Application logic and intellectual property may be exposed
- Standard .NET obfuscation techniques need adaptation for WASM
Shield addresses these challenges with specialized protection techniques designed for Blazor WebAssembly applications.
Protection Strategy for Blazor WebAssembly
Shield applies a multi-layered approach to securing Blazor WebAssembly applications:
- IL Code Protection: Applies transformations to your .NET code before WASM compilation
- Assembly Obfuscation: Renames and obfuscates assemblies while maintaining compatibility with the WASM runtime
- Resource Protection: Encrypts embedded resources and assets
- Reference Protection: Hides method calls and type references
- WASM-specific Features: Applies protection techniques optimized for the browser environment
Implementation
Prerequisites
- ByteHide Shield (Team, Scale, or Enterprise edition)
- Blazor WebAssembly project
Configuration
Create a shield.config.json file in the root of your Blazor WebAssembly project:
{
"preset": "custom",
"protections": {
"rename": {
"rename_public": false,
},
"constants_encryption": {},
"constants_protection": {},
"resources": {
"compress": true,
"encrypt": true
}
}
}
Shield will automatically detect that your assembly is a Blazor WebAssembly application and apply the necessary optimizations for WebAssembly compatibility.
Integration with MSBuild
Add Shield to your Blazor WebAssembly project using the NuGet package:
dotnet add package ByteHide.Shield
Recommended Protections
For Blazor WebAssembly applications, these protections provide the best balance of security and performance:
| Protection | Recommendation | Notes |
|---|---|---|
| Renamer | ✓ Essential | Set rename_public to false for WebAssembly projects |
| Constants Encryption | ✓ Recommended | Secures sensitive values and strings |
| Constants Mutation | ✓ Recommended | Adds additional security to constant values |
| Control Flow | Use with caution | Avoid if you need to debug the application as it prevents WebAssembly debugging |
| Resource Protection | ✓ Recommended | Secures embedded resources and assets |
Control Flow protection should be avoided if you need to debug your Blazor WebAssembly application, as it will prevent WebAssembly debugging capabilities. While the application will function correctly, debugging will not be possible.
Testing Protected Applications
After applying Shield protection to your Blazor WebAssembly application:
- Build your application in Release mode
- Verify that the protected application loads correctly in different browsers
- Test all functionality, especially any JavaScript interop features
- Check performance in targeted browser environments
Blazor WebAssembly applications run in the browser's security sandbox. While Shield significantly increases the difficulty of reverse engineering, it's important to maintain a defense-in-depth approach to security. Never store sensitive data or credentials in your client-side Blazor code.
Compatibility Considerations
Shield's Blazor WebAssembly protection is compatible with:
- Blazor WebAssembly 3.2+
- All modern browsers (Chrome, Firefox, Safari, Edge)
- JavaScript interop
- Progressive Web Apps (PWAs)
- Hybrid desktop applications using WebView