The Node.js Secure Coding Blog

Are you using regex to validate URLs? Learn from a CVE identified in the node-forge npm package that was using a regex pattern to validate URLs and resulted in a security vulnerability.

Learn how I discovered a Node.js core prototype pollution regression, its security implications, and why it didn't warrant a CVE. Luckily, I also fixed it for us!

A recent security issue in the Deno CLI (CVE-2024-37150) highlights the importance of secure credential handling. Learn how this vulnerability mirrors past npm CLI mistakes and what you can do to stay secure.

JavaScript developers need security skills to safeguard user data, prevent application breaches, and maintain user trust. Learn about essential security skills for writing secure code and fixing vulnerabilities in JavaScript applications.

Learn about Prototype Pollution in Node.js: what it is, how it works, and how to prevent it. Includes real-world examples and security best practices for developers.

Sasha shares how they inadvertently wrote a React Server Component code that would have resulted in a security breach, if not refactored in time to fix the issue. What can we learn and how to avoid security risks that developers easily repeat, especially as it blurs the line between client-side and server-side React code.

Interestingly enough, the IDOR vulnerability type is found as a CVE more commonly in some languages rather than others. Why is that and how can you prevent it?

The most upvoted Reddit answer to a question about serving images via a route in Express.js is a security vulnerability waiting to happen.

Are we going to settle the debate between raw SQL queries and ORMs once and for all? Let's explore the pros and cons of each approach and find the right balance between control and convenience.

Enhance your development workflow with JavaScript security best practices. Learn about Content Security Policy (CSP) in Nuxt.js, avoiding `eval` and `new Function` with untrusted input, secure DOM manipulation, cookie security, and third-party integration.