TypeScript Security Rules

12 rules

Authentication in Express.js MEDIUM express fastify

Body Parser Middleware in Express.js MEDIUM express

Cookie Security Flags Configuration MEDIUM express

CORS Configuration in Express.js MEDIUM express fastify

CSRF Protection in Express.js MEDIUM express

Rate Limiting in Express.js MEDIUM express nodejs fastify

Express Trust Proxy Configuration MEDIUM express

Authentication in Next.js API Routes MEDIUM nextjs

Authentication in Next.js Middleware MEDIUM nextjs

Authentication in Next.js Server Actions MEDIUM nextjs

Mass Assignment in Next.js Server Actions MEDIUM nextjs

SQL Injection in Next.js Server Actions MEDIUM nextjs

CWE-20 Improper Input Validation 7 rules

Business Logic Input Validation MEDIUM express fastify nextjs koa

Unvalidated Business-Critical Values HIGH express fastify nextjs koa

NestJS DTO Missing Validation Decorators HIGH nestjs

Prisma Missing Input Validation HIGH prisma

tRPC Unsafe Context Usage HIGH trpc

tRPC Procedure Missing Input Validation HIGH trpc

TypeORM Entity Missing Validation HIGH typeorm

CWE-200 Information Exposure 5 rules

Environment Variable Secret Exposure HIGH nodejs express fastify koa hapi nestjs

LLM Model Theft HIGH nodejs express

LLM Sensitive Information Disclosure HIGH express fastify nodejs

Sensitive Field Exposure in API Response CRITICAL express fastify nextjs nestjs koa hapi nodejs

Prisma Sensitive Field Exposure CRITICAL prisma

CWE-704 CWE-704 5 rules

tRPC Type Safety Bypass with Any MEDIUM trpc

TypeScript Unconstrained Generic Type Parameters MEDIUM typescript

TypeScript Strict Mode Disabled HIGH typescript

Unsafe 'any' Type in Security-Sensitive Context HIGH express fastify nestjs next

TypeScript Unsafe Type Guard HIGH typescript

CWE-798 Hardcoded Credentials 5 rules

Hardcoded Secret in Environment Variable Fallback HIGH nodejs express fastify koa hapi nestjs

Hardcoded Credentials HIGH nodejs express fastify koa hapi nestjs

Hardcoded High-Entropy Secrets Detection CRITICAL nodejs express fastify koa hapi nestjs

Hardcoded Secrets in Security Operations CRITICAL nodejs express fastify koa hapi nestjs

Security Issues in Test Files LOW tests

CWE-89 SQL Injection 4 rules

SQL Injection via Database Queries CRITICAL nodejs express fastify koa hapi nestjs lambda serverless graphql

Prisma Raw Query SQL Injection CRITICAL prisma

TypeORM SQL Injection in Raw Query CRITICAL typeorm

TypeORM Query Builder SQL Injection CRITICAL typeorm

CWE-79 Cross-Site Scripting (XSS) 3 rules

Angular Unsafe Security Context Bypass CRITICAL

Angular Unsafe Property Binding HIGH

Cross-Site Scripting (XSS) via Response HIGH nodejs express fastify koa hapi nestjs lambda serverless graphql

CWE-94 Code Injection 3 rules

Code Injection via eval() and Function constructor CRITICAL express fastify

LLM Insecure Output Handling HIGH express fastify nodejs

TypeScript Unsafe Decorator Usage HIGH typescript

CWE-285 Improper Authorization 3 rules

Angular Missing Route Guard CRITICAL angular

NestJS Sensitive Route Missing Guard CRITICAL nestjs

tRPC Protected Procedure Missing Authentication CRITICAL trpc

CWE-639 Authorization Bypass Through User-Controlled Key 3 rules

Horizontal Privilege Escalation CRITICAL express fastify nextjs koa hapi nestjs

Insecure Direct Object Reference (IDOR) HIGH express fastify nextjs koa hapi nestjs

Potential IDOR - Generic Data Access MEDIUM express fastify nextjs koa hapi nestjs

CWE-22 Path Traversal 2 rules

Path Traversal in File Operations CRITICAL nodejs express fastify koa hapi nestjs lambda serverless graphql

Zip Slip Path Traversal HIGH nodejs express fastify koa

CWE-209 Error Message Information Leak 2 rules

Information Exposure Through Error Messages MEDIUM express fastify nextjs nodejs

tRPC Error Information Disclosure MEDIUM trpc

CWE-327 Broken Cryptographic Algorithm 2 rules

JWT Algorithm Confusion Attack HIGH express fastify nodejs

Use of Weak Cryptographic Algorithm HIGH express fastify nextjs

CWE-400 Resource Exhaustion 2 rules

LLM Denial of Service MEDIUM express fastify nodejs

Denial of Service via Unbounded Child Processes MEDIUM express fastify nextjs

CWE-502 Deserialization of Untrusted Data 2 rules

LLM Training Data Poisoning HIGH nodejs

Unsafe Deserialization CRITICAL express fastify nodejs nextjs

CWE-601 Open Redirect 2 rules

Next.js Open Redirect MEDIUM nextjs

Open Redirect via Untrusted URLs MEDIUM nodejs express fastify koa hapi nestjs nextjs

CWE-770 Allocation Without Limits 2 rules

Request Size Limits in Express.js MEDIUM express

Prisma Unbounded Relation Loading MEDIUM prisma

CWE-915 Mass Assignment 2 rules

Prisma Mass Assignment Vulnerability CRITICAL prisma

TypeORM Mass Assignment Vulnerability CRITICAL typeorm

CWE-918 Server-Side Request Forgery 2 rules

SSRF in Next.js Server Actions HIGH nextjs

Server-Side Request Forgery via HTTP Requests HIGH express fastify nodejs

CWE-1321 Prototype Pollution 2 rules

Prototype Pollution via Object Manipulation HIGH nodejs express fastify koa hapi nestjs lambda serverless

Prototype Pollution Gadget - Unsafe Property Trust MEDIUM nodejs express fastify koa nestjs nextjs

CWE-74 Injection 1 rules

Prompt Injection via Untrusted Input HIGH express fastify

CWE-78 OS Command Injection 1 rules

Command Injection via child_process CRITICAL nodejs express fastify koa hapi nestjs lambda serverless graphql

CWE-90 LDAP Injection 1 rules

LDAP Injection HIGH express fastify nodejs

CWE-93 CWE-93 1 rules

Email Header Injection HIGH express fastify koa nextjs

CWE-113 HTTP Response Splitting 1 rules

HTTP Header Injection (Response Splitting) HIGH nodejs express fastify koa hapi nestjs

CWE-117 Log Injection 1 rules

Log Injection MEDIUM all

CWE-176 CWE-176 1 rules

Unicode Normalization Security Issues MEDIUM express fastify koa nextjs

CWE-190 CWE-190 1 rules

Integer Overflow via Unchecked Arithmetic MEDIUM

CWE-201 CWE-201 1 rules

Credential Exfiltration via User-Controlled Endpoint CRITICAL express fastify nodejs nextjs nestjs koa hapi

CWE-208 CWE-208 1 rules

Timing Attack via Direct Cryptographic Comparison MEDIUM nodejs express fastify koa hapi nestjs

CWE-235 CWE-235 1 rules

HTTP Parameter Pollution Prevention in Express.js LOW express

CWE-252 Unchecked Return Value 1 rules

Unchecked Return Value from Critical Operations HIGH nodejs express fastify nextjs

CWE-259 Hardcoded Password 1 rules

Hardcoded Weak Password HIGH nodejs express fastify

CWE-284 Improper Access Control 1 rules

LLM Insecure Plugin Design HIGH nodejs express

CWE-287 Improper Authentication 1 rules

JWT Decode Used for User Identity (Authentication Bypass) CRITICAL express fastify koa hapi nodejs

CWE-295 Improper Certificate Validation 1 rules

Insecure TLS/SSL Configuration HIGH

CWE-306 CWE-306 1 rules

NestJS Endpoint Missing Authentication Guard HIGH nestjs

CWE-321 Hardcoded Cryptographic Key 1 rules

JWT User-Controlled Secret CRITICAL express fastify nodejs

CWE-338 Weak PRNG 1 rules

Weak Random Number Generation in Security Context HIGH express fastify

CWE-347 Improper Signature Verification 1 rules

JWT Decode Without Verification HIGH express fastify nodejs

CWE-352 Cross-Site Request Forgery 1 rules

Angular Missing HTTP Security Interceptor HIGH

CWE-362 Race Condition 1 rules

Race Condition in Concurrent Operations HIGH nodejs express fastify nextjs

CWE-384 Session Fixation 1 rules

Express Insecure Session Configuration HIGH express

CWE-390 CWE-390 1 rules

Incomplete Error Handling MEDIUM express fastify nextjs

CWE-391 CWE-391 1 rules

Unhandled Promise Rejection HIGH nodejs express fastify nextjs koa hapi nestjs

CWE-434 Unrestricted File Upload 1 rules

Unrestricted File Upload HIGH express fastify nodejs

CWE-476 CWE-476 1 rules

Non-Null Assertion Without Null Check LOW express fastify nestjs next

CWE-489 CWE-489 1 rules

Debug Mode Enabled in Production MEDIUM express fastify nodejs

CWE-521 Weak Password Requirements 1 rules

Weak Password Policy HIGH express fastify nextjs nodejs

CWE-532 Information Exposure Through Logs 1 rules

Sensitive Data Exposure in Logs MEDIUM nodejs express fastify koa hapi nestjs

CWE-547 CWE-547 1 rules

Hardcoded Development URLs LOW express fastify nodejs

CWE-611 XXE 1 rules

XML External Entity (XXE) Injection HIGH express fastify

CWE-636 CWE-636 1 rules

Failing Open on Security Check Errors CRITICAL express fastify nextjs koa hapi nestjs

CWE-640 Weak Password Recovery 1 rules

Weak Password Reset Token HIGH all

CWE-668 CWE-668 1 rules

TypeScript Access Modifier Bypass HIGH typescript

CWE-670 CWE-670 1 rules

JavaScript Test with Trivial Always-Passing Assertion MEDIUM nodejs express fastify koa hapi nextjs

CWE-693 Protection Mechanism Failure 1 rules

Security Headers in Express.js HIGH express fastify

CWE-754 CWE-754 1 rules

TypeORM Unsafe Database Migration HIGH typeorm

CWE-755 CWE-755 1 rules

Resource Exhaustion via Exception Handling MEDIUM nodejs express fastify nextjs

CWE-778 Insufficient Logging 1 rules

Avoid console.log when logging library exists low nodejs express fastify

CWE-829 Inclusion of Untrusted Functionality 1 rules

LLM Supply Chain Vulnerabilities HIGH nodejs

CWE-840 CWE-840 1 rules

Business Logic Bypass HIGH express fastify nextjs

CWE-843 CWE-843 1 rules

TypeScript Enum Type Confusion MEDIUM express fastify nestjs next

CWE-862 Missing Authorization 1 rules

LLM Excessive Agency HIGH nodejs express

CWE-916 CWE-916 1 rules

Weak Password Storage HIGH express fastify nextjs nodejs

CWE-943 NoSQL Injection 1 rules

NoSQL Injection via MongoDB Queries HIGH express fastify

CWE-1024 CWE-1024 1 rules

Type Coercion Security Bugs MEDIUM all

CWE-1069 CWE-1069 1 rules

Empty Catch Block MEDIUM nodejs express fastify nextjs koa hapi nestjs

CWE-1071 CWE-1071 1 rules

AI-Generated Placeholder Code LOW express fastify

CWE-1236 CWE-1236 1 rules

CSV Injection (Formula Injection) MEDIUM nodejs express fastify koa hapi nestjs lambda serverless

CWE-1333 ReDoS 1 rules

Regular Expression Denial of Service (ReDoS) HIGH express koa fastify

TypeScript Security Rules

Frameworks