JavaScript Security

Open-source JavaScript projects categorized as Security | Edit details

Top 23 JavaScript Security Projects


    ⚙️ NGINX config generator on steroids 💉

    Project mention: [software] NGINX configuration generator | | 2021-11-10
  • openzeppelin-contracts

    OpenZeppelin Contracts is a library for secure smart contract development.

    Project mention: 5 Tips & Tricks in UniswapV2 Contracts for DeFi Developers  | | 2022-01-22

    Openzeppelin ERC-20-Permit (in draft status)

  • Scout APM

    Less time debugging, more time building. Scout APM allows you to find and fix performance issues with no hassle. Now with error monitoring and external services monitoring, Scout is a developer's best friend when it comes to application development.

  • KeeWeb

    Free cross-platform password manager compatible with KeePass

    Project mention: Chromebox: what password manager do you use? | | 2022-01-17
  • DOMPurify

    DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:

    Project mention: How to allow custom entered HTML in item description, but make sure no JS gets entered? | | 2022-01-02

    You can use an input sanitizer. I'd use something like DOMPurify if you don't want to write the sanitizer yourself. But yeah you should not allow or remove a certain tags like script and img.

  • awesome-ctf

    A curated list of CTF frameworks, libraries, resources and softwares

    Project mention: How to solve CTF ☠️ (Capture_the_flags) | | 2021-10-31 - Comprehensive list of tools and further reading

  • BeEF

    The Browser Exploitation Framework Project

    Project mention: be warned, there's this new thing going around that nobody is talking about but it sends a link and i think your account gets taken over and you can't get it back. it seems to start with "hey can i ask you for a quick favor?" and if you respond, it seems to actually talk back | | 2022-01-03
  • arkime

    Arkime (formerly Moloch) is an open source, large scale, full packet capturing, indexing, and database system.

    Project mention: I'm currently studying to transition from a SIEM administrator to a network forensics analyst. What's are good workflows/resources for analyzing PCAPs? | | 2021-12-14

    Full PCAP's? Look at or network miner. Arkime is probably more what you're looking for. But I love network miner

  • SonarLint

    Deliver Cleaner and Safer Code - Right in Your IDE of Choice!. SonarLint is a free and open source IDE extension that identifies and catches bugs and vulnerabilities as you code, directly in the IDE. Install from your favorite IDE marketplace today.

  • cloudmapper

    CloudMapper helps you analyze your Amazon Web Services (AWS) environments.

    Project mention: Is there a tool to map a AWS/vpc environment? | | 2021-09-03
  • user.js

    Firefox privacy, security and anti-tracking: a comprehensive user.js template for configuration and hardening

    Project mention: An extension seems to have logged a bung of information, what should I do first? | | 2022-01-22

    Looks like the same situation as here. As recommended there, check your about:debugging for extension UUID that matches with what you called "(some string)".

  • shhgit

    Ah shhgit! Find secrets in your code. Secrets detection for your GitHub, GitLab and Bitbucket repositories:

    Project mention: My MetaMask Private Keys Stolen from GitHub Private Repo in 1 Hour | | 2022-01-06

    Assuming that the person you were working with didn't drain your wallet, there are many tools which can be used to actively monitor for commits being done on GitHub with secrets of sort.

    The first one that comes to my mind is shhgit (

    Anyone can self host it and then add multiple GitHub Dev keys to it. Then this can be used to monitor GitHub commits being done, majority of which can be categorized as "secrets".

  • ClearURLs-Addon

    ClearURLs is an add-on based on the new WebExtensions technology and will automatically remove tracking elements from URLs to help protect your privacy.

    Project mention: DeGoogling with my tag is the cherry on top...(left)... | | 2021-11-12
  • Retire.js

    scanner detecting the use of JavaScript libraries with known vulnerabilities

    Project mention: OWASP Top 10 for Developers: Using Components with Known Vulnerabilities | | 2021-09-14

    In order to prevent this issue, your organization needs to implement regular checks of your dependencies against the CVE database for known vulnerabilities, as well as establishing a process for keeping all dependencies up-to-date. Fortunately, much of this can be automated using vulnerability scanning tools, such as the OWASP Dependency Check, RetireJS, or Brakeman. Additional tools, such as WhiteSource's Renovate, provide a complete dependency management solution by automatically updating any found vulnerabilities. In addition to keeping dependencies updated, it's important to remove any dependencies that are no longer being used.

  • sanitize-html

    Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis. Built on htmlparser2 for speed and tolerance

    Project mention: How To Parse and Render Markdown In Vuejs | | 2021-08-26

    Vue does not have as much support for Vue as there is for React. Examples are markdown-it, Remark.js, marked.js. But hopefully in the future, there should be more support, and after much research, I picked marked.js because it has the most stars and has zero vulnerability. Marked does not sanitize (meaning it does not secure HTML documents from attacks like cross-site scripting (XSS) ) marked output HTML as that feature is deprecated and has vulnerability but however, it supports the use of other libraries to secure output HTML such as DOMPurify (recommended), sanitize-html or insane.

  • vm2

    Advanced vm/sandbox for Node.js

    Project mention: The Perfect Configuration Format? Try TypeScript | | 2021-11-17

    This could be solved by having some kind of sandbox (, but I agree it complicates it.

    It would be cool if tsc had a flag —sandboxed or similar that does not allow any sideeffects (fs access, output, forking, net requests, etc)

  • express-gateway

    A microservices API Gateway built on top of Express.js

    Project mention: Building an Express Gateway Policy | | 2021-08-29

    This post will show you how to build a policy (middleware) for your express gateway. Before creating a policy, we need to create a plugin.

  • StegCloak

    Hide secrets with invisible characters in plain text securely using passwords 🧙🏻‍♂️⭐

    Project mention: r/cryptography | | 2021-05-31


  • user.js

    user.js -- Firefox configuration hardening (by pyllyukko)

    Project mention: [24 Jan 2022] Privacy lovers of India, what are your best tips for online safety & privacy in 2022? | | 2022-01-24

    As for configuring firefox - There are many different configurations. Read the thing and configure based on your needs. I use 2 different profiles in firefox. one has strict rules other not so much. Umatrix, temporary containers, ublock,vim vixen, https everywhere are the addon i use. can use facebook container if you want to use instagram and such.

  • opencti

    Open Cyber Threat Intelligence Platform

    Project mention: Threat Intelligence platform recommendations | | 2021-11-02

    If you haven’t yet, check out OpenCTI

  • rate-limiter-flexible

    Node.js rate limit requests by key with atomic increments in single process or distributed environment.

    Project mention: Trouble adding rate limiter to API route in Nextjs | | 2021-07-31

    I published this issue with my code:

  • awesome-nodejs-security

    Awesome Node.js Security resources

  • nothing-private

    Do you think you are safe using private browsing or incognito mode?. :smile: :imp: This will prove that you're wrong.

    Project mention: GitHub - gautamkrishnar/nothing-private: Do you think you are safe using private browsing or incognito mode?. This will prove that you're wrong. | | 2021-10-24
  • is-website-vulnerable

    finds publicly known security vulnerabilities in a website's frontend JavaScript libraries

    Project mention: Finds publicly known security vulnerabilities in front end JavaScript libs | | 2021-08-06
  • cloudsploit

    Cloud Security Posture Management (CSPM)

    Project mention: Cloud Security Tools | | 2021-08-25

    Mapping cloud security controls to compliance standards not possible in totality (e.g. cloud security tools on their own won't be able to see what's on an EC2 instance to see if you have PCI-DSS compliant ciphers enabled for SSH/HTTPS/etc.), but I'd recommend you take a look into and as starting points!

NOTE: The open source projects on this list are ordered by number of github stars. The number of mentions indicates repo mentiontions in the last 12 Months or since we started tracking (Dec 2020). The latest post mention was on 2022-01-24.

JavaScript Security related posts


What are some of the best open-source Security projects in JavaScript? This list will help you:

Project Stars
1 15,179
2 openzeppelin-contracts 15,160
3 KeeWeb 10,662
4 DOMPurify 8,305
5 awesome-ctf 6,554
6 BeEF 6,277
7 arkime 5,024
8 cloudmapper 4,826
9 user.js 4,628
10 shhgit 3,337
11 ClearURLs-Addon 2,959
12 Retire.js 2,939
13 sanitize-html 2,834
14 vm2 2,796
15 express-gateway 2,610
16 StegCloak 2,403
17 user.js 2,381
18 opencti 2,216
19 rate-limiter-flexible 1,994
20 awesome-nodejs-security 1,811
21 nothing-private 1,770
22 is-website-vulnerable 1,728
23 cloudsploit 1,713
Find remote jobs at our new job board There are 29 new remote jobs listed recently.
Are you hiring? Post a new remote job listing for free.
OPS - Build and Run Open Source Unikernels
Quickly and easily build and deploy open source unikernels in tens of seconds. Deploy in any language to any cloud.