i’ve used google closure and haxe optimizer flags, e.g.
<haxelib name="closure" if="release" unless="windows" />
<haxeflag name="-dce full" if="release" />
<haxeflag name="-D closure_overwrite" if="release" />
it seems that it’s generating pretty good obfuscated code. the only thing you have to do is manually mask accessing LoaderInfo#url (use some sort of reflection on stage.loaderInfo to do it) and obviously, not name site-lock related code with explicit names
I would also recommend not only presenting a “site lock” text/screen, but, silently proceed and randomly disable gameplay features in case of wrong domain (e.g. in a Mario-like game, disable jumping or moving, spawning enemies, corrupting the level, etc).
i’ve also mulled over the idea of generating the sitelocking code at runtime, using some technique like js safe of google ctf 2018 (https://github.com/google/google-ctf/tree/master/2018/beginners/web-js-safe-1) and also this code could also set some global variables that can be used to check their values randomly during gameplay, when the game starts/end, etc. However, I’m not sure how to implement this thingie in Haxe.
additionally, if you game is hosted on your own server, you can use some sort of a “heart-beat” server side script that is called by the client in random placed in the game code -> if the heart beat isn’t there, lock the game (although there might be potential issues with this approach for legitimate players).