Elm Security

Security practices for Elm frontend applications

Language / Topic

Elm

Rules

Elm Security · balanced balanced

- Never store sensitive data (tokens, passwords) in `localStorage` via ports — prefer `sessionStorage` or HTTP-only cookies managed by the server.

- Validate and decode all data arriving through ports using `Json.Decode` decoders — treat port input as untrusted external data.

- Use `Html.Attributes.href` and `Html.Attributes.src` only with validated URLs — never interpolate user input directly into these attributes.

- Use `Http.header "Authorization"` with Bearer tokens for authenticated API calls — never embed tokens in query strings.