How do I block coupon-scraping extensions from reading checkout inputs?

Secure Input isolates plaintext handling in a Web Worker and exposes encrypted payloads to the main thread, which reduces direct DOM scraping opportunities.

Does Secure Input support React and Next.js?

Yes. Use @secure-input/react for components and hooks, or use @secure-input/core for framework-agnostic JavaScript.

Can I use Secure Input with vanilla JavaScript?

Yes. The @secure-input/core package is framework-agnostic and works with vanilla JavaScript as well as Vue, Svelte, and Angular.

Is this full security or obfuscation?

Secure Input raises the bar against automated scraping but should be combined with server-side validation, key management, and rate limiting.

WASM-Powered Protection

Protect your checkout
from coupon-stealing extensions.

Stop extensions like Honey from scraping and leaking your discount codes. A lightweight WebAssembly library that obfuscates sensitive e-commerce inputs from client-side bots.

Get Started

~30KB Gzipped

Zero Dependencies

Type Safe

Core Architecture

Designed for performance and isolation. Plain text never exists in the main thread or DOM.

Packages

MODULE_01

@secure-input/core

Runtime Engine

The standalone orchestration layer. Handles secure communication with Web Workers, manages encryption lifecycles, and exposes a high-level API for any JS environment.

SIZE: ~15KBDEPS: ZERO

npm i @secure-input/core

MODULE_02

@secure-input/react

UI Adaptation

First-class React support. Includes hooks for managing worker state and optimized wrapper components that prevent DOM-based scraping out of the box.

SIZE: ~5KBTYPE: STRONGLY TYPED

npm i @secure-input/react

MODULE_03

@secure-input/wasm

Binary Core

The cryptographic heart. Contains the Rust-compiled ChaCha20Poly1305 implementation. Usually installed as a dependency of the core runtime.

SIZE: ~10KBRUNTIME: WASM32

Internal Dependency

Security Notice

This library provides obfuscation, not absolute security. It defeats basic extensions, DOM inspection, and simple JS injection. It does not protect against low-level keyloggers, network traffic inspection, or determined reverse-engineering. Always pair with robust server-side validation and rate limiting.

Implementation is minimal.

One component. Total isolation. Zero friction.

CouponForm.tsx

"text-accent">import { SecureInput } "text-accent">from "@secure-input/react";

"text-accent">export "text-accent">function CouponForm() {
  "text-accent">const handleSubmit = "text-accent">async (encryptedValue: string) => {
    // Plain text is never exposed here.
    "text-blue-400">await fetch("/api/validate", {
      method: "POST",
      body: encryptedValue,
    });
  };

  "text-accent">return (
    <SecureInput
      placeholder="Enter coupon code"
      onEncryptedSubmit={handleSubmit}
    />
  );
}

View Documentation

Frequently Asked Questions

Everything you need to know about protecting your checkout flow.

Protect your checkout
from coupon-stealing extensions.

Core Architecture

WASM Encryption

Worker Isolation

Framework Agnostic

Packages

@secure-input/core

@secure-input/react

@secure-input/wasm

Security Notice

Implementation is minimal.

React

Vue

Vanilla JS

Frequently Asked Questions

Protect your checkout from coupon-stealing extensions.

Core Architecture

WASM Encryption

Worker Isolation

Framework Agnostic

Packages

@secure-input/core

@secure-input/react

@secure-input/wasm

Security Notice

Implementation is minimal.

React

Vue

Vanilla JS

Frequently Asked Questions

How do I block the Honey extension from stealing coupon codes?

Does this prevent users from manually sharing promo codes?

Is this library compatible with React and Next.js checkouts?

Can DOM inspectors read the plain text?

Protect your checkout
from coupon-stealing extensions.