ESLint InterlaceESLint Interlace
Plugin: nestjs-security

Overview

NestJS security rules for guards, validation pipes, throttling, and more

Live from GitHub

This content is fetched directly from README.md on GitHub and cached for 1 hour.

AI-Optimized Security

Every rule includes CWE, OWASP, and CVSS metadata for AI assistants to provide precise, context-aware fixes.

Rules (6)

Browse all NestJS security rules with CWE/OWASP mapping

Changelog

View version history and updates

ESLint Interlace Logo

Security rules tailored for NestJS applications (Controllers, Providers, Decorators).

NPM VersionNPM DownloadsPackage LicenseCodecovSince Dec 2025

Description

This plugin provides Security rules tailored for NestJS applications (Controllers, Providers, Decorators). By using this plugin, you can proactively identify and mitigate security risks across your entire codebase.

Philosophy

Interlace fosters strength through integration. Instead of stacking isolated rules, we interlace security directly into your workflow to create a resilient fabric of code. We believe tools should guide rather than gatekeep, providing educational feedback that strengthens the developer with every interaction.

Getting Started

npm install eslint-plugin-nestjs-security --save-dev

โš™๏ธ Configuration Presets

PresetDescription
recommendedEnables all security rules with sensible severity levels
strictAll security rules set to 'error' for maximum protection

๐Ÿ“š Supported Libraries

LibrarynpmDownloadsDetection
@nestjs/commonDecorators, Guards
@nestjs/coreApp Config
class-validatorDTO Validation
@nestjs/throttlerRate Limiting

โš ๏ธ Global Configuration Handling

Static Analysis Limitation: ESLint analyzes files independently. It cannot detect cross-file configurations like app.useGlobalGuards() in main.ts while linting users.controller.ts.

Understanding the Problem

NestJS supports two security configuration approaches:

ApproachExampleESLint Can See?
Per-Controller@UseGuards(AuthGuard) on classโœ…
Per-Method@UseGuards(AuthGuard) on methodโœ…
Global (main.ts)app.useGlobalGuards(new AuthGuard())โŒ
Global (Module)ThrottlerModule.forRoot({ ttl: 60, limit: 10 })โŒ

Solution: assumeGlobal* Options

For teams using global configuration, set assumeGlobal*: true to disable per-file checks:

// eslint.config.js
import nestjsSecurity from 'eslint-plugin-nestjs-security';

export default [
  {
    ...nestjsSecurity.configs.recommended,
    rules: {
      // Tell ESLint: "We have app.useGlobalGuards() in main.ts"
      'nestjs-security/require-guards': ['warn', { assumeGlobalGuards: true }],

      // Tell ESLint: "We have app.useGlobalPipes(new ValidationPipe()) in main.ts"
      'nestjs-security/no-missing-validation-pipe': [
        'warn',
        { assumeGlobalPipes: true },
      ],

      // Tell ESLint: "We have ThrottlerModule.forRoot() in app.module.ts"
      'nestjs-security/require-throttler': [
        'warn',
        { assumeGlobalThrottler: true },
      ],
    },
  },
];

Alternative: Use Skip Decorators

The rules recognize common "bypass" decorators for intentionally unprotected endpoints:

// These bypass require-guards
@Public()        // nestjs-passport pattern
@SkipAuth()      // common custom decorator
@AllowAnonymous() // alternative naming
@NoAuth()        // alternative naming

// These bypass require-throttler
@SkipThrottle()  // @nestjs/throttler built-in

๐Ÿ”ฎ Future: Cross-File Global Detection (Planned)

We're planning dedicated rules to verify global configuration exists:

  • require-global-guards โ†’ Ensures main.ts contains app.useGlobalGuards()
  • require-global-validation-pipe โ†’ Ensures main.ts contains app.useGlobalPipes()
  • require-global-throttler โ†’ Ensures app.module.ts imports ThrottlerModule

This will enable a "trust but verify" approach for teams using global configuration.

Rules

Legend

IconDescription
๐Ÿ’ผRecommended: Included in the recommended preset.
โš ๏ธWarns: Set towarn in recommended preset.
๐Ÿ”งAuto-fixable: Automatically fixable by the --fix CLI option.
๐Ÿ’กSuggestions: Providing code suggestions in IDE.
๐ŸšซDeprecated: This rule is deprecated.
RuleCWEOWASPCVSSDescription๐Ÿ’ผโš ๏ธ๐Ÿ”ง๐Ÿ’ก๐Ÿšซ
no-exposed-debug-endpointsESLint rule documentation for no-exposed-debug-endpoints
no-exposed-private-fieldsCWE-2007.5ESLint rule documentation for no-exposed-private-fields๐Ÿ’ผโš ๏ธ๐Ÿ’ก
no-missing-validation-pipeCWE-208.6ESLint rule documentation for no-missing-validation-pipe๐Ÿ’ผโš ๏ธ๐Ÿ’ก
require-class-validatorCWE-207.5ESLint rule documentation for require-class-validator๐Ÿ’ผโš ๏ธ๐Ÿ’ก
require-guardsCWE-2849.8ESLint rule documentation for require-guards๐Ÿ’ผ๐Ÿ’ก
require-throttlerCWE-7707.5ESLint rule documentation for require-throttler๐Ÿ’ผโš ๏ธ๐Ÿ’ก

๐Ÿ”— Related ESLint Plugins

Part of the Interlace ESLint Ecosystem โ€” AI-native security plugins with LLM-optimized error messages:

PluginDownloadsDescription
eslint-plugin-secure-codingGeneral security rules & OWASP guidelines.
eslint-plugin-pgPostgreSQL security & best practices.
eslint-plugin-cryptoNodeJS Cryptography security rules.
eslint-plugin-jwtJWT security & best practices.
eslint-plugin-browser-securityBrowser-specific security & XSS prevention.
eslint-plugin-express-securityExpress.js security hardening rules.
eslint-plugin-lambda-securityAWS Lambda security best practices.
eslint-plugin-nestjs-securityNestJS security rules & patterns.
eslint-plugin-mongodb-securityMongoDB security best practices.
eslint-plugin-vercel-ai-securityVercel AI SDK security hardening.
eslint-plugin-import-nextNext-gen import sorting & architecture.

๐Ÿ“„ License

MIT ยฉ Ofri Peretz

ESLint Interlace Plugin

View README.md on GitHub โ†’

require-rate-limiting

ESLint rule documentation for require-rate-limiting

Changelog

Release history and version updates for eslint-plugin-nestjs-security

On this page

No Headings