Browser Security
Overview
Browser security rules for XSS, CSRF, and client-side vulnerabilities
eslint-plugin-browser-security
21 specialized rules — LLM-optimized error messages with CWE, OWASP, and CVSS metadata.
When to Use
This plugin is designed for client-side JavaScript/TypeScript applications running in web browsers:
| Environment | Examples |
|---|---|
| Frontend Frameworks | React, Vue, Angular, Svelte, Solid |
| Build Tools | Vite, Webpack, esbuild, Parcel |
| Full-Stack Frameworks | Next.js (client), Nuxt (client), Remix (client) |
| Vanilla JS | Any browser-based JavaScript |
Target Vulnerabilities
| Category | Threats |
|---|---|
| XSS (Cross-Site Scripting) | innerHTML, document.write, unsafe DOM manipulation |
| CSRF (Cross-Site Request Forgery) | Missing tokens, insecure cookie handling |
| Insecure Communication | postMessage origin validation, WebSocket security |
| Data Leakage | localStorage sensitive data, URL-based secrets |
Not for server-side code — For Node.js/Express security, see express-security. For database security, see mongodb-security or pg.
Installation
npm install --save-dev eslint-plugin-browser-securityConfiguration
import browsersecurity from 'eslint-plugin-browser-security';
export default [browsersecurity.configs.recommended];Available Presets
| Preset | Description |
|---|---|
recommended | Balanced security for most projects |
strict | Maximum enforcement (all rules as errors) |
Rules
Browse all 21 rules with CWE and OWASP references:
Loading rules...
Related Articles
Initializing articles...