v1.0.0
Reviews Node.js code for security vulnerabilities — input sanitization, eval/exec prevention, HTTP header hardening, dependency risks, and prototype pollution. Server-side JavaScript runs with full system access, so a single unsanitized input can compromise the entire host.
A review skill focused on server-side JavaScript security vulnerabilities and hardening.
Run this on any Node.js backend code, especially code that handles user input, authentication, or external API communication. Critical for public-facing services.
Sanitize and escape all user-provided input before rendering in HTML, executing in SQL, or passing to system commands. Unsanitized input is the entry point for XSS, SQL injection, and command injection attacks — the three most exploited vulnerability classes in web applications.
Never use eval(), new Function(), or vm.runInScript() with user-provided input. These functions execute arbitrary code with the full privileges of your Node.js process — an attacker can read files, access databases, or take over the entire server.
Set security headers on all HTTP responses: Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Strict-Transport-Security. Missing headers leave your app vulnerable to XSS, clickjacking, MIME sniffing, and protocol downgrade attacks.
Never merge user-controlled objects into application objects using Object.assign, spread, or deep-merge without validation. Prototype pollution lets an attacker inject __proto__ properties that modify the behavior of every object in your application — enabling denial of service, authentication bypass, or remote code execution.
BeforeMerge scans your pull requests against all 4 Node.js Security Review rules automatically. Get actionable feedback before code ships.