Articles

Express ships nothing by default — no security headers, no rate limit, no CSRF, no body-size cap — and a route regex can DoS the event loop. 10 CWE-mapped ESLint rules that catch the middleware you forgot, in CI.

A NestJS controller with no @UseGuards is wide open; a handler with no ValidationPipe takes raw input; an entity returned directly leaks the password hash. 6 CWE-mapped ESLint rules that catch the decorators you forgot, in CI.

JWT-in-localStorage, innerHTML XSS, postMessage('*'), mixed content, permissive CORS — browser-side bugs a backend pentest and a type-checker never see. 45 CWE-mapped ESLint rules that catch them in CI.

alg:none token forgery, RS256↔HS256 confusion, weak/hardcoded secrets, missing exp/iss/aud — the JWT auth mistakes that hand attackers a valid session. 13 CWE-mapped ESLint rules that catch them in CI.

Weak crypto (MD5/SHA-1/ECB), command injection via exec(), Zip Slip path traversal, Math.random() tokens — Node.js built-in footguns that pass tests and ship as CVEs. 34 CWE-mapped ESLint rules that catch them in CI.

Prompt injection, tool over-permissioning, AI output that reaches eval/SQL/innerHTML, secrets in prompts — the Vercel AI SDK puts every one a single property away. 19 ESLint rules that catch them in CI, before deploy.

Hardcoded secrets, unsafe deserialization, LDAP/XPath/GraphQL injection, prototype pollution — language-level bugs that pass review and tests, then become CVEs. 27 CWE-mapped ESLint rules that catch them in CI, framework-agnostic.

A real, auditable mapping of the OWASP Top 10 (2021) to ten domain-security ESLint plugins: which categories a CWE-tagged rule genuinely catches in CI, and the two (Insecure Design, Vulnerable Components) that need controls beyond source analysis.

How to turn an inherited Node.js codebase into a measurable risk heatmap in one ESLint run: the three plugins to install, the jq one-liner that ranks findings by rule, and how to read the result — 15 SQL injections and 8 hardcoded credentials before your first standup.

The 13 security concepts that come up in senior JavaScript/Node interviews — SQLi, XSS, CSRF, JWT, prototype pollution, ReDoS, timing attacks — each with the bad-vs-good code, the CWE, and the exact ESLint rule that enforces it automatically.

alg:none tells a JWT verifier 'this token has no signature' — and a permissive verify call accepts the forgery. The header-swap walkthrough, why jsonwebtoken still ships the foot-gun, and the CWE-347 ESLint rule that fails the build on it.

The 3-line prompt-injection bug in almost every Vercel AI SDK app, the exploit that proves it, why string sanitization is a trap, and the CWE-74 ESLint rule that enforces a real validation boundary at write-time.