README.md

Awesome Frontend Security

Frontend application security.

All contributions are welcome, please carefully review the contributing guidelines prior to submitting a pull request.

Contents

• Guides
• Cheat Sheets
• Libraries
• Tools
  • Code scanning
  • Supply Chain Security
  • Testing
• Courses

Guides

• How to Think About Security in Next.js
• Secret scanning and Next.js builds

Cheat Sheets

• Authentication Cheat Sheet
• CSP Cheat Sheet
• XSS Filter Evasion Cheat Sheet

Libraries

• Helmet - Middleware to set HTTP security headers for Express applications.
• next-safe - A simple way to configure CSP headers in Next.js applications.
• server-only - Ensure your code is only run on the server.
• Valibot - A library for validating data.
• Zod - TypeScript-first validation library.

Tools

Code scanning

• GitHub Code Scanning - Static analysis, free for open source.
• Gitleaks - Scans git repositories for secrets.
• GitGuardian - Secret scanning.
• Semgrep - Static analysis tool for finding bugs and enforcing code standards.
• SonarQube - Code quality scanning.
• Trufflehog - Searches for secrets and other sensitive information.

Supply Chain Security

• Bytesafe - Dependency scanning.
• Dependabot - Automated dependency updates as PRs.
• npm-audit - Built into npm, run npm audit to check for vulnerabilities in your dependencies.
• Socket - Dependency analysis and reporting for security and licensing issues.

Testing

• CSP Evaluator - Check your CSP headers for common issues.
• shcheck - A CLI for checking website security headers.
• OWASP Web App Security Testing Guide - Guide for testing the security of web applications and web services.
• Zap - App vulnerability scanning.

Courses

• Stanford CS 253 Web Security - Comprehensive overview of web security (Fall 2021).