Bun Security

Security patterns for Bun applications

Language / Topic

Bun

Rules

Bun Security · balanced balanced

- Use `Bun.password.hash()` with argon2id for password hashing — no bcrypt needed.

- Use `Bun.CryptoHasher` for secure hashing operations.

- Validate all user input before processing.

- Use `Bun.serve()` TLS options for HTTPS.

- Use `Bun.password.hash()` with argon2id algorithm for password hashing — no external bcrypt dependency needed.

- Use `Bun.CryptoHasher` for secure hashing operations (`sha256`, `sha512`, `blake2b256`).

- Validate all user input with schema validation (Zod, TypeBox) before processing.

- Use `Bun.serve()` TLS options (`tls: { cert, key }`) for HTTPS in production.

- Sandbox subprocesses with `Bun.spawn()` using restricted environment variables and working directory.

- Set `Bun.serve()` `maxRequestBodySize` to prevent denial-of-service from oversized payloads.