Prevent Javascript games tweaking/hacking

Question

Thanks to the recent browsers enhancements, developing games with canvas and javascript has become a good option, but now that the code is easily accessible, just writing

javascript:score=99999

or

javascript:lives=99

Will spoil the game objectives.

I know that with some server-side checking something can be done, but I would prefer to access the server just to store player stats at the end, or even have it client only in most cases.

I wonder if at least the are some best pratices to start with.

(using not so obvious variables names is a start, but not enough)

-Added-

Thanks for the replies, I was looking to improve the client-side code, enough to stop "casual hackers", but still leaving the code as clean as possible. Anyone that really wants to hack it will succeed anyway, even with server-side checks, as I've seen it in many flash games.

Answer 1

One way is to send a record of every move to the server as well, then to verify that those moves would have got that score.

That's easy for games like solitaire or chess, but not really for more complex games.

A simpler version of that is to work out the max points that could be obtained per second, or per move, then to verify that the score isn't higher than your theoretical maximum.

Another way is for each move to be recorded on the server, and to total up the score there. That means there is no send at the end of the game, and that those variables are only for display, not the real score.

Offline games could be starred on the highscore table or something to show they aren't verified.

It's worth pointing out that with any javascript debugger, such as the Inspector in Webkit, Firebug for Firefox or Dragonfly on Opera it's trivial to change the value of variables on the client side, even if your code is in a closure. Any form of obfuscation is pointless, as again it's easy to watch which variable corresponds to the score as the game is played, and any encoding or whatever can simply be read out of the code.

Answer 2

In order of preference:

1. Send player moves or statistics to server. Prevent strange behavior. eg: Score too high, invalid actions, actions that cannot be replayed, etc
2. Prevent strange behavior on client-side. Same as above but not on server. eg: sudden lives changed, moving too fast, etc
3. Create obfuscated JS output (which you should be doing to reduce JS size anyways) eg: GWT (Java to JS compiler), Google Closure Compiler (ADVANCED_OPTIMIZATIONS will obfuscate more, --output-wrapper (function(){%output%})() to wrap in closure), Yahoo Compressor
4. Obfuscate variable values eg: Encode strings (xor, substitution, BASE64), don't use normal variable increments
5. Use a closure to encapsulate variable names: (function(){code here})()

EDIT: I want to make clear that the best solution is still to move calculations to the server, as Rich Bradshaw had said. These things can only do so much, even after you obfuscate the code.

Here's a link that also applies to your Javascript game, and I think is probably the best possible answer to your question: What is the best way to stop people hacking the PHP-based highscore table of a Flash game

The most important idea to get from that link is:

The objective isn't to stop this attack; it's to make the attack more expensive than just getting really good at the game and beating it.