Node.js Security

Security patterns for Node.js applications

Language / Topic

Node.js

Rules

Node.js Security · balanced balanced

- Use `node:crypto` for secure random values and hashing — never roll your own.

- Validate all input with schema validation libraries (Zod, Joi).

- Never use `eval()`, `Function()`, or `vm.runInNewContext()` with untrusted input.

- Sanitize file paths with `path.resolve()` and `path.normalize()` to prevent directory traversal.

- Set HTTP security headers (`Content-Security-Policy`, `X-Frame-Options`, `Strict-Transport-Security`) on all responses.

- Use `node:crypto` for secure random values and hashing — never implement custom cryptography.

- Validate all user input with schema validation libraries (Zod, Joi) before processing.

- Prevent prototype pollution by using `Object.create(null)` for lookup maps or freezing objects.

- Use the `--permission` flag (Node 20+) for filesystem and network access restrictions.

- Never use `eval()`, `Function()`, or `vm.runInNewContext()` with untrusted input — these enable code injection.

- Set `Content-Security-Policy`, `X-Frame-Options`, `X-Content-Type-Options`, and `Strict-Transport-Security` headers on all HTTP responses.