ESLint Interlace

ESLint Interlace

Guide

Getting Started Examples & Showcases Benchmarks Test Coverage Technical Articles

Advanced Topics

ESLint Plugins (Security)

no-cookie-auth-tokens no-dynamic-service-worker-url no-eval browser-security/no-filereader-innerhtml no-innerhtml browser-security/no-jwt-in-storage browser-security/no-postmessage-innerhtml browser-security/no-postmessage-wildcard-origin browser-security/no-sensitive-cookie-js no-sensitive-indexeddb no-sensitive-localstorage no-sensitive-sessionstorage no-unsafe-eval-csp no-unsafe-inline-csp browser-security/no-websocket-eval browser-security/no-websocket-innerhtml no-worker-message-innerhtml require-blob-url-revocation require-cookie-secure-attrs require-postmessage-origin-check browser-security/require-websocket-wss

ESLint Plugins (Frameworks)

ESLint Plugins (Architecture)

Browser Security

Home
Browser Security

Rules

All browser-security rules for XSS, CSRF, and client-side security

browser-security Rules

Browse all 21 rules for XSS, CSRF, and client-side vulnerability prevention.

See the sidebar for the complete list of rules.

Known False Negatives

This rule uses pattern-based detection. The following may not be caught:

Dynamic patterns - Runtime-generated code or values
Indirect references - Values passed through multiple variables or functions
External data - Data from APIs, databases, or user input

Overview

Browser security rules for XSS, CSRF, and client-side vulnerabilities

no-cookie-auth-tokens

Prevent storing authentication tokens in JavaScript-accessible cookies.

On this page

browser-security Rules Known False Negatives