Rules
All ESLint security rules provided by eslint-plugin-express-security
10 Security Rules
Comprehensive coverage of Express.js security including CORS, CSRF, cookies, and rate limiting.
All Rules
| Rule | 🧠 | 💼 | 🔧 | 💡 | ⚠️ | Docs |
|---|---|---|---|---|---|---|
| no-cors-credentials-wildcard The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance: | 🟢 | |||||
| no-exposed-debug-endpoints Identifies potential debug, administration, or testing endpoints that are often left exposed in production environmen... | 🟢 | |||||
| no-express-unsafe-regex-route This rule detects Regular Expression Denial of Service (ReDoS) vulnerabilities in Express route patterns | 🟢 | |||||
| no-graphql-introspection-production This rule detects GraphQL servers with introspection enabled in production | 🟢 | |||||
| no-insecure-cookie-options The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance: | 🟢 | |||||
| no-permissive-cors Detects overly permissive CORS configurations in Express.js applications | 🟢 | |||||
| require-csrf-protection The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance: | 🟢 | |||||
| require-express-body-parser-limits The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance: | 🟢 | |||||
| require-helmet This rule detects Express.js applications that are missing the helmet middleware | 🟢 | |||||
| require-rate-limiting This rule detects Express.js applications missing rate limiting middleware | 🟢 |
Rule Categories
CORS & Headers
Rules enforcing proper CORS configuration and security headers via Helmet.
Cookie Security
Rules detecting insecure cookie options and improper session handling.
Rate Limiting & CSRF
Rules requiring rate limiting and CSRF protection middleware.
API Security
Rules preventing exposed debug endpoints and GraphQL introspection in production.