Node.js Security

v1.0.0

Reviews Node.js code for security vulnerabilities — input sanitization, eval/exec prevention, HTTP header hardening, dependency risks, and prototype pollution. Server-side JavaScript runs with full system access, so a single unsanitized input can compromise the entire host.

4 rules

1 categories

Security(4)

Sanitize User Input

Sanitize and escape all user-provided input before rendering in HTML, executing in SQL, or passing to system commands. Unsanitized input is the entry point for XSS, SQL injection, and command injection attacks — the three most exploited vulnerability classes in web applications.

NodeSanitizationXSS

CRITICAL

Automate Node.js Security checks on every PR

BeforeMerge scans your pull requests against all 4 Node.js Security rules automatically. Get actionable feedback before code ships.

Join Waitlist Browse All Rules

Node.js Security Review

A review skill focused on server-side JavaScript security vulnerabilities and hardening.

What it covers

Input sanitization — SQL/NoSQL injection, command injection, path traversal, template injection
Dangerous APIs — eval(), child_process.exec(), Function constructor, dynamic require
HTTP hardening — security headers (CSP, HSTS, X-Frame-Options), CORS configuration, cookie flags
Authentication — secure session handling, timing-safe comparison, bcrypt/scrypt for passwords
Prototype pollution — safe object merging, proto rejection, frozen prototypes for critical objects
Dependency risks — known CVE scanning, minimal dependency surface, postinstall script auditing

When to use

Run this on any Node.js backend code, especially code that handles user input, authentication, or external API communication. Critical for public-facing services.