I am using https://pavlovia.org to run some experiments in behavioral economics in risky-choice. The task requires the subjects to play (or not) different lotteries. The system creates javascript files which it runs on the subject's browser. However, I found it very easy to inspect and edit the javascript which would allow a malicious subject to give themselves an advantage (e.g. increase the probability of a lottery paying out).
If someone makes all the lotteries "win", it will be easy to tell they cheated, but if they boost the probabilities by a small amount it will be very hard.
Other than re-writing everything so that the logic is server-side, I wondered whether it is possible to compute a hash (md5 or sha) of the JS code on the client and sent it back to the server to check wither the JS has been edited. I found several posts related to computing hashes in javascript, but I wasn't sure whether a file could compute its own hash.
I appreciate that a sophisticated user could also hack that part of the code (e.g. copy the original file to another name and then edit the code that takes the hash to point to the original file, or something like that). But i wonder if this technique could be one more barrier to cheating.
The user has the ability to debug the JS code while running and replace values in some variables. Even if JS hashing was possible, it would not prevent that. I believe there is no other way than making part of the crucial logic on the server side.