Quote Originally Posted by Old Pedant View Post
I think perhaps I need to clarify what I've been trying to say: If the code *ALONE* can encrypt/decrypt something, then it's insecure. Because for that to happen, the keyword must be embedded somewhere in the code.
Having the code alone able to decrypt something on the server is just as useless as in the client. If the code alone anywhere can decrypt something then just running the code gets you the devrypted version no matter where the code is run.

JavaScript is no less secure with proper encryption than anything on the server - with proper encryption the algorithm is known whether the exact implementation in code is visible (as with JavaScript) or not visible (on the server) and the encryption relies on not being able to use just the knowledge of the algorithm to perform the decryption - you also need the password or key.