Rules
All ESLint security rules provided by eslint-plugin-browser-security
45 Security Rules
Comprehensive coverage of XSS, cookie security, DOM protection, and client-side vulnerabilities.
All Rules
| Rule | 💼 | 🔧 | 💡 | ⚠️ | Docs |
|---|---|---|---|---|---|
| detect-mixed-content Detects HTTP URLs in code that should use HTTPS, preventing mixed content vulnerabilities. | |||||
| no-allow-arbitrary-loads Prevents disabling App Transport Security (ATS) by detecting allowArbitraryLoads: true in configuration. | |||||
| no-clickjacking Detects clickjacking vulnerabilities and missing frame protections | |||||
| no-client-side-auth-logic Prevent client-side authentication logic that can be bypassed. This rule is part of eslint-plugin-browser-security and provides LLM-optimized error messages. | |||||
| no-cookie-auth-tokens Prevent storing authentication tokens in JavaScript-accessible cookies. | |||||
| no-credentials-in-query-params CWE: [CWE-598](https://cwe.mitre.org/data/definitions/598.html) | |||||
| no-disabled-certificate-validation CWE: [CWE-295](https://cwe.mitre.org/data/definitions/295.html) | |||||
| no-dynamic-service-worker-url Prevent dynamic URLs in service worker registration. | |||||
| no-eval Detects dangerous eval() and similar code execution patterns | |||||
| no-filereader-innerhtml The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance: | |||||
| no-http-urls CWE: [CWE-319](https://cwe.mitre.org/data/definitions/319.html) | |||||
| no-innerhtml Detects dangerous innerHTML/outerHTML assignments that can lead to Cross-Site Scripting (XSS) | |||||
| no-insecure-redirects ESLint Rule: no-insecure-redirects | |||||
| no-insecure-websocket CWE: [CWE-319](https://cwe.mitre.org/data/definitions/319.html) | |||||
| no-jwt-in-storage This rule prevents storing JWT tokens in browser storage (localStorage/sessionStorage) | |||||
| no-missing-cors-check Detects missing CORS validation (wildcard CORS, missing origin check) that can allow unauthorized cross-origin requests | |||||
| no-missing-csrf-protection Detects missing CSRF token validation in POST/PUT/DELETE requests | |||||
| no-missing-security-headers ESLint Rule: no-missing-security-headers | |||||
| no-password-in-url This rule detects when URLs contain password-related query parameters or URL fragments | |||||
| no-permissive-cors CWE: [CWE-942](https://cwe.mitre.org/data/definitions/942.html) | |||||
| no-postmessage-innerhtml The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance: | |||||
| no-postmessage-wildcard-origin This rule prevents using \"\" as the targetOrigin parameter in postMessage() calls | |||||
| no-sensitive-cookie-js The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance: | |||||
| no-sensitive-data-in-analytics This rule detects when sensitive user data (email, SSN, credit card, password, phone, address) is passed to analytics... | |||||
| no-sensitive-data-in-cache CWE: [CWE-200](https://cwe.mitre.org/data/definitions/200.html) | |||||
| no-sensitive-indexeddb Prevent storing sensitive data in IndexedDB. | |||||
| no-sensitive-localstorage Detects storage of sensitive data (tokens, passwords, PII) in localStorage | |||||
| no-sensitive-sessionstorage Prevent storing sensitive data in sessionStorage. | |||||
| no-tracking-without-consent CWE: [CWE-359](https://cwe.mitre.org/data/definitions/359.html) | |||||
| no-unencrypted-transmission Detects unencrypted data transmission (HTTP vs HTTPS, plain text protocols) | |||||
| no-unescaped-url-parameter Detects unescaped URL parameters that can lead to Cross-Site Scripting (XSS) or open redirect vulnerabilities | |||||
| no-unsafe-eval-csp Disallow 'unsafe-eval' in Content Security Policy directives. | |||||
| no-unsafe-inline-csp Disallow 'unsafe-inline' in Content Security Policy directives. | |||||
| no-unvalidated-deeplinks This rule detects when deep link URLs are opened without validation in React Native or mobile web apps | |||||
| no-websocket-eval The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance: | |||||
| no-websocket-innerhtml The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance: | |||||
| no-worker-message-innerhtml Disallow using innerHTML with Web Worker message data. | |||||
| require-blob-url-revocation Require revoking Blob URLs after use to prevent memory leaks. | |||||
| require-cookie-secure-attrs Require Secure and SameSite attributes on cookies. | |||||
| require-csp-headers CWE: [CWE-1021](https://cwe.mitre.org/data/definitions/1021.html) | |||||
| require-https-only This rule detects HTTP (unencrypted) URLs in fetch() and axios requests | |||||
| require-mime-type-validation CWE: [CWE-434](https://cwe.mitre.org/data/definitions/434.html) | |||||
| require-postmessage-origin-check Detects postMessage event handlers without origin validation | |||||
| require-url-validation CWE: [CWE-601](https://cwe.mitre.org/data/definitions/601.html) | |||||
| require-websocket-wss This rule enforces the use of wss:// (WebSocket Secure) protocol instead of ws:// (unencrypted WebSocket) |
Rule Categories
XSS Prevention
Rules that prevent Cross-Site Scripting attacks through innerHTML, postMessage, and DOM manipulation.
Cookie Security
Rules for secure cookie handling, preventing sensitive data exposure in client-side storage.
Content Security Policy
Rules enforcing proper CSP headers and preventing unsafe inline/eval patterns.
DOM Security
Rules for safe DOM manipulation and preventing DOM-based vulnerabilities.
WebSocket Security
Rules for secure WebSocket communication and message handling.