Originally Posted by Old Pedant
I think perhaps I need to clarify what I've been trying to say: If the code *ALONE* can encrypt/decrypt something, then it's insecure. Because for that to happen, the keyword must be embedded somewhere in the code.
Having the code alone able to decrypt something on the server is just as useless as in the client. If the code alone anywhere can decrypt something then just running the code gets you the devrypted version no matter where the code is run.