TypeScript Security

Open-source TypeScript projects categorized as Security

Top 23 TypeScript Security Projects

  • personal-security-checklist

    🔒 A compiled checklist of 300+ tips for protecting digital security and privacy in 2024

    Project mention: The Personal Security Checklist | news.ycombinator.com | 2024-02-21

    Checklists at https://github.com/Lissy93/personal-security-checklist/blob/...

  • javascript-obfuscator

    A powerful obfuscator for JavaScript and Node.js

    Project mention: Need ideas with modding TCOAAL | /r/CoffinofAndyandLeyley | 2023-12-06

    I don't need/use IDA, Nemlei just used https://obfuscator.io/, which just obfuscates the crap out of the code using various known methods (which I won't go into detail, it's public knowledge) and an un-obfuscation was cooked up by others. The one fucked-up thing the website does is randomizing function names, it just changes every variable/function name. We can't "un-obfuscate" those, so it's up to our brains to figure out what the code does, and change the names back.

  • WorkOS

    The modern API for authentication & user identity. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.

  • infisical

    ♾ Infisical is the open-source secret management platform: Sync secrets across your team/infrastructure and prevent secret leaks.

    Project mention: Top Secrets Management Tools for 2024 | dev.to | 2024-02-19

    Infisical

  • helmet

    Help secure Express apps with various HTTP headers

    Project mention: 🔒Securing Web: A Deep Dive into Content Security Policy (CSP) | dev.to | 2024-02-15

    helmet

  • juice-shop

    OWASP Juice Shop: Probably the most modern and sophisticated insecure web application

    Project mention: Launch HN: Corgea (YC S23) – Auto fix vulnerable code | news.ycombinator.com | 2024-01-09

    Hi HN, I’m the founder of Corgea (https://corgea.com). We help companies fix their vulnerable source code using AI.

    Originally, we started with a data security product that would detect data leaks at companies. Despite initial successes and customer acquisitions, we frequently heard that highlighting issues wasn't enough; customers wanted proactive fixes. They had hundreds (yes hundreds!) of security tools alerting them about vulnerabilities, but couldn’t afford a dedicated team to go through them all and fix them. One prospect we spoke to had tens of thousands of reported vulnerabilities in their SAST tool. With the rise of AI code generation, we saw an opportunity to give customers what they really wanted.

    Having Corgea is like having a security engineer on staff focused on making your code more secure. We want security to be an enabler of engineering rather than a blocker to it, and the reverse to be true. To accomplish this, we built it on top of existing LLMs to issue code fixes.

    To show Corgea’s capabilities, we took some popular vulnerable-by-design applications like Juice Shop (https://github.com/juice-shop/juice-shop), scanned them and issued fixes for their vulnerabilities. You can see some of them here: https://demo.corgea.com. Some examples of vulnerabilities it solves are like SQL injection, Path Traversal and XSS.

    What makes this tough is that currently LLMs struggle at generalist coding tasks because it has to understand your whole code base, the domain you’re in, and the user’s request to do something. This can lead to a lot of unintended behavior where it codes things incorrectly because it’s giving a best guess at what you want. Adam, one of the founding engineers on the team coined it well: LLMs don’t reason, they fuzz.

    We made several decisions that helped the LLM become more deterministic. First, what we’re doing is extremely domain specific: vulnerable code fixes in a limited number of programming languages. There are roughly 900 security vulnerabilities in code, called CWE’s (https://cwe.mitre.org/), that we’ve built into Corgea. An SQL injection vulnerability in a Javascript app is the same regardless if you’re a payments company or a travel booking website. Second, we have no user generated input going into the LLM, because SAST scanners everything needed to issue a fix. This makes it much more predictable and reproducible for us and customers. We can also create robust QA processes and checks.

    To illustrate the point, let’s put some of this to the test using some napkin math. Assume you’re serving 5,000 enterprises that ship on average 300 domain specific features a year in 5 different programming languages that each require 30 lines of code changes across multiple files. You’ll have about 300m permutations the product needs to support. What a nightmare!

    Using the same napkin math, Corgea needs to support the ~900 vulnerabilities (CWE’s). Most of them require 1 - 2 line changes. It doesn’t need to understand the whole codebase since the problem is usually isolated to a few lines. We want to support the 5 most popular programming languages. If we have 5,000 customers, we have to support ~4,500 permutations (900 issues x 5 different languages). This leads to a massive difference in accuracy. Obviously, this is an oversimplification of the whole thing but it illustrates the point.

    What makes this different from Copilot and other code-gen tools is that they do not specialize in security and we’ve seen them inadvertently introduce security issues unbeknownst to the engineer. Additionally, they do not integrate into existing scanning tools that companies are using to resolve those issues. So unless a developer is working on every part of the product, they’re unable to clear security backlogs, which can be in the thousands of tickets.

    As for security scanners, the current market is flooded with tools that report and overwhelm security teams and are not effective at fixing what they’re reporting. Most vulnerability scanners do not remediate issues, and if they do they’re mostly limited to upgrading packages from one version to another to reduce a CVSS. If they do offer CWE remediation capabilities their success rates are very low because they’re often based on traditional AI methodologies. Additionally, they do not integrate with each other because they want to only serve their own findings. Enterprises use multiple tools like Snyk, Semgrep, Checkmarx, but also have a penetration testing program, and a bug bounty program. They need a solution that consolidates across their existing tools. They also use Github, Gitlab and Bitbucket for their code repository.

    We’re offering a free tier for smaller teams and priced tiers. We believe we can reduce 80% of the engineering effort for security fixes, which would equate to at least $10m a year for enterprises.

    We’re really excited to share this with you all and we’d love any thoughts, feedback, and comments!

  • web-check

    🕵️‍♂️ All-in-one OSINT tool for analysing any website

    Project mention: OSINT tool for analyzing website and server meta data | /r/OSINT | 2023-07-10
  • Tutanota makes encryption easy

    Tuta is an email service with a strong focus on security and privacy that lets you encrypt emails, contacts and calendar entries on all your devices.

    Project mention: A list of SaaS, PaaS and IaaS offerings that have free tiers of interest to devops and infradev | dev.to | 2024-02-05

    Tutanota - Free secure email account service provider with built-in end-to-end encryption, no ads, no tracking. Free 1GB storage. Which is also partially open source, so you can self-host.

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

  • cli

    Snyk CLI scans and monitors your projects for security vulnerabilities. (by snyk)

    Project mention: Preventing SQL injection attacks in Node.js | dev.to | 2024-02-22

    In this article, you learned all about how SQL injections manifest in Node.js applications and discovered multiple strategies to help prevent them. From updating your ORM and SQL libraries, sanitizing user inputs, and using query placeholders to leveraging the Snyk IDE extension for Visual Studio Code, you have a whole host of measures to secure your Node.js applications against SQL injection attacks.

  • buttercup-desktop

    :key: Cross-Platform Passwords & Secrets Vault

    Project mention: Inclusive Finland-based JavaScript community | /r/FinlandJS | 2023-05-03

    I'm a JS/TS developer with 10+ years experience, and have been working on projects across the board in terms of stack: front-end, back-end, mobile (native and React-), desktop and browser extensions. I'm the co-founder of Buttercup, a cross-platform password manager written in Typescript and Javascript. I'm based out of Espoo but commute to Helsinki regularly.

  • tamperchrome

    Tamper Dev is an extension that allows you to intercept and edit HTTP/HTTPS requests and responses as they happen without the need of a proxy. Works across all operating systems (including Chrome OS).

    Project mention: anyone has done an API endpoints scanner? | /r/Python | 2023-06-08

    https://tamper.dev https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Intercept_HTTP_requests

  • express-rate-limit

    Basic rate-limiting middleware for the Express web server

    Project mention: NPMprune: Remove unnecessary files from node_modules to optimize storage | news.ycombinator.com | 2023-11-29

    I think the readme gets included automatically even if you don't specify it in the files field, ditto for package.json.

    Compare https://github.com/express-rate-limit/express-rate-limit/blo... to https://www.npmjs.com/package/express-rate-limit?activeTab=c...

    Agree with you about the other points.

  • accesscontrol

    Role and Attribute based Access Control for Node.js

    Project mention: Three Ways to Secure Database APIs: Which Is Right for You? | dev.to | 2023-04-03

    You can mitigate the pain by using libraries like accesscontrol, express-rbac, django-guardian, etc., to manage authorization more declaratively. But making sure nothing leaks is still a significant challenge.

  • foal

    Full-featured Node.js framework, with no complexity. 🚀 Simple and easy to use, TypeScript-based and well-documented.

    Project mention: FoalTS – A Full-Featured Node.js Framework | news.ycombinator.com | 2023-05-18
  • exifcleaner

    Cross-platform desktop GUI app to clean image metadata

    Project mention: Anonimlik Rehberi | /r/KGBTR | 2023-10-23
  • metlo

    Metlo is an open-source API security platform.

    Project mention: Using Metlo to Secure My Personal Finance App | dev.to | 2023-06-29

    So far, I’ve been using Metlo's protection features to initially test out its capabilities on my app, but there’s still a whole other Testing feature that it has that I'm starting to look into. Everything I’ve tried out has been pretty quick and easy so hopefully I can play around with the Testing more to help me catch any other authentication or authorization vulnerabilities that might exist in my app. If this is something that interests you, you can check it out at https://metlo.com .

  • lunasec

    LunaSec - Dependency Security Scanner that automatically notifies you about vulnerabilities like Log4Shell or node-ipc in your Pull Requests and Builds. Protect yourself in 30 seconds with the LunaTrace GitHub App: https://github.com/marketplace/lunatrace-by-lunasec/

    Project mention: Guys, I taught ChatGPT to browse the internet and it is bloody amazing. | /r/geek | 2023-03-13
  • homebridge-unifi-protect

    :video_camera: Complete HomeKit integration for all UniFi Protect device types with full support for most features including HomeKit Secure Video, and more. https://homebridge.io

    Project mention: UDM Authentication with X-CSRF-Token | /r/Ubiquiti | 2023-11-01

    For several years I've been relying on an authentication mechanism with my main UDM (v3.1.16) that relies on the X-CSRF-Token header returned when doing a GET request directly to the UDM's IP address, as per the instructions found here (https://github.com/hjdhjd/homebridge-unifi-protect/blob/main/docs/ProtectAPI.md).

  • Spearmint

    Testing, simplified. || An inclusive, accessibility-first GUI for generating clean, semantic Javascript tests in only a few clicks of a button. (by open-source-labs)

  • mitaka

    A browser extension for OSINT search

  • creepjs

    Creepy device and browser fingerprinting

    Project mention: Are these anti-fingerprinting extensions actually open source? | /r/PrivacyGuides | 2023-04-16

    You shouldnt use anti fingerprinting extensions, theyre privacy theater at best. And in the worst case scenario they can be used to fingerprint you. https://github.com/abrahamjuliot/creepjs

  • alarmo

    Easy to use alarm system integration for Home Assistant

    Project mention: Konnected.io project | /r/homeautomation | 2023-06-04

    I just did this with our ancient system. I replaced the keypads with Ring Alarm Keypads v2 which connected to my Home Assistant server via Zwave and stay in sync with the Alarmo custom integration using this Blueprint. It all works great and was much easier than expected to switch over.

  • angular-auth-oidc-client

    npm package for OpenID Connect, OAuth Code Flow with PKCE, Refresh tokens, Implicit Flow

  • dotenv-vault

    sync .env files—from the creator of `dotenv`.

    Project mention: Show HN: Shello – Wrangle Environment Variables | news.ycombinator.com | 2023-09-15

    A secrets manager for .env and .env.vault files. Sync your secrets across teams, machines, and environments.

  • LearnThisRepo.com

    Learn 300+ open source libraries for free using AI. LearnThisRepo lets you learn 300+ open source repos including Postgres, Langchain, VS Code, and more by chatting with them using AI!

NOTE: The open source projects on this list are ordered by number of github stars. The number of mentions indicates repo mentiontions in the last 12 Months or since we started tracking (Dec 2020). The latest post mention was on 2024-02-22.

TypeScript Security related posts

Index

What are some of the best open-source Security projects in TypeScript? This list will help you:

Project Stars
1 personal-security-checklist 14,263
2 javascript-obfuscator 12,431
3 infisical 11,120
4 helmet 9,929
5 juice-shop 9,265
6 web-check 6,833
7 Tutanota makes encryption easy 5,639
8 cli 4,702
9 buttercup-desktop 4,158
10 tamperchrome 4,143
11 express-rate-limit 2,648
12 accesscontrol 2,086
13 foal 1,839
14 exifcleaner 1,591
15 metlo 1,544
16 lunasec 1,384
17 homebridge-unifi-protect 1,289
18 Spearmint 1,282
19 mitaka 1,239
20 creepjs 1,123
21 alarmo 1,081
22 angular-auth-oidc-client 1,078
23 dotenv-vault 913
Learn 300+ open source libraries for free using AI.
LearnThisRepo lets you learn 300+ open source repos including Postgres, Langchain, VS Code, and more by chatting with them using AI!
learnthisrepo.com