5 docs tagged with "security"

What is DOMPurify

This page is a practical distillation of the OWASP NPM Security Cheat Sheet, organized by workflow phase. For the why — attack vectors, incident history, and defense rationale — read npm Supply Chain Attacks first; this page is the what to do reference, with particular emphasis on publisher-side hygiene.

A supply chain attack in the npm ecosystem occurs when an attacker compromises a package — or the infrastructure around it — to inject malicious code into applications that depend on it. npm is uniquely exposed to this class of attack: the registry hosts over 3 million packages, the average project pulls in hundreds of transitive dependencies, many packages are maintained by a single person, and npm install executes arbitrary install scripts by default. This page covers what has happened, how these attacks work, and what you can do to defend against them.

Prototype pollution is a JavaScript-specific vulnerability class where an attacker injects properties into Object.prototype, affecting every object in the application. It is less well-known than XSS or CSRF, but has led to serious real-world exploits — including remote code execution in Node.js.

Security is a first-class concern, not an afterthought. This page is a condensed reference of the most common web security topics — each section gives the core idea, what to do about it, and where to go deeper. For topic-specific deep dives, see the dedicated pages linked throughout this section.