Zig Security

Security practices for Zig systems programming

Zig

Security

Use in Builder All Zig Options

Details

Language / Topic

Zig

Rules

Zig Security · balanced balanced

- Build with `ReleaseSafe` in production to retain bounds checking, overflow detection, and null pointer checks with minimal performance impact.

- Always validate slice bounds before indexing — use `slice[0..n]` sub-slicing with explicit length validation rather than raw pointer arithmetic.

- Avoid `@ptrCast` and `@intToPtr` unless interfacing with C — prefer typed pointers and slices that carry length information.

- Use `std.crypto` primitives (`std.crypto.aead.chacha_poly.ChaCha20Poly1305`, `std.crypto.hash.sha2.Sha256`) instead of rolling custom crypto.

- Mark sensitive data buffers (`keys`, `passwords`) with `std.crypto.utils.secureZero` before deallocation to prevent secrets from lingering in freed memory.

- Use `std.fs.openFileAbsolute` with explicit `OpenFlags` (no world-write, no follow symlinks) when opening files from user-provided paths.

- Enable undefined behavior sanitizer checks by building with `ReleaseSafe` during integration testing to catch integer overflow and invalid casts.