TypeScript Security
Priority: P0 (CRITICAL)
Security standards for TypeScript applications based on OWASP guidelines.
Implementation Guidelines
- •Validation: Validate all inputs with
zod/joi/class-validator. - •Sanitization: Use
DOMPurifyfor HTML. Prevent XSS. - •Secrets: Use env vars. Never hardcode.
- •SQL Injection: Use parameterized queries or ORMs (Prisma/TypeORM).
- •Auth: Use
bcryptfor hashing. Implement strict RBAC. - •HTTPS: Enforce HTTPS. Set
secure,httpOnly,sameSitecookies. - •Rate Limit: Prevent brute-force/DDoS.
- •Deps: Audit with
npm audit.
Anti-Patterns
- •No
eval(): Avoid dynamic execution. - •No Plaintext: Never commit secrets.
- •No Trust: Validate everything server-side.
Code
typescript
// Validation (Zod)
const UserSchema = z.object({
email: z.string().email(),
password: z.string().min(8),
});
// Secure Cookie
const cookieOpts = {
httpOnly: true,
secure: process.env.NODE_ENV === 'prod',
sameSite: 'strict' as const,
};
Reference & Examples
For authentication patterns and security headers: See references/REFERENCE.md.
Related Topics
common/security-standards | best-practices | language