Node.js Security

v1.0.0

Reviews Node.js code for security vulnerabilities — input sanitization, eval/exec prevention, HTTP header hardening, dependency risks, and prototype pollution. Server-side JavaScript runs with full system access, so a single unsanitized input can compromise the entire host.

14 rules

1 categories

Security(14)

Store secrets in env or a secret manager, never in code

Keep API keys, tokens, and credentials out of source; load them from environment variables or a managed secret store.

CRITICAL

Avoid eval() and Dynamic Code Execution

Never use eval(), new Function(), or vm.runInScript() with user-provided input. These functions execute arbitrary code with the full privileges of your Node.js process — an attacker can read files, access databases, or take over the entire server.

NodeInjection

Automate Node.js Security checks on every PR

BeforeMerge scans your pull requests against all 14 Node.js Security rules automatically. Get actionable feedback before code ships.

Join Waitlist Browse All Rules

Node.js Security Review

A review skill focused on server-side JavaScript security vulnerabilities and hardening.

What it covers

Input sanitization — SQL/NoSQL injection, command injection, path traversal, template injection
Dangerous APIs — eval(), child_process.exec(), Function constructor, dynamic require
HTTP hardening — security headers (CSP, HSTS, X-Frame-Options), CORS configuration, cookie flags
Authentication — secure session handling, timing-safe comparison, bcrypt/scrypt for passwords
Prototype pollution — safe object merging, proto rejection, frozen prototypes for critical objects
Dependency risks — known CVE scanning, minimal dependency surface, postinstall script auditing

When to use

Run this on any Node.js backend code, especially code that handles user input, authentication, or external API communication. Critical for public-facing services.

Node.js Security

Security(14)

Store secrets in env or a secret manager, never in code

Avoid eval() and Dynamic Code Execution

Automate Node.js Security checks on every PR

Use parameterized queries to prevent injection

Sanitize User Input

Rate-limit public and auth endpoints

Avoid Prototype Pollution

Implement CSRF protection for state-changing requests

Set Security Headers

Avoid leaking stack traces and internal errors to clients

Pin and verify dependency integrity with a lockfile

Keep dependencies patched and run npm audit in CI

Use HTTPS and secure, httpOnly, sameSite cookies

Limit request body size to prevent resource exhaustion

Run the process with least privilege, not as root

Node.js Security Review

What it covers

When to use