After this lesson, you will be able to: Recognise XSS, CSRF, prototype pollution, and dependency vulnerabilities; read npm audit output.
Most JS security issues are well-known and well-mitigated, IF you know what to look for.
Attacker injects script via user input that's rendered as HTML. Reflected: in URL query → echoed to page (search results page). Stored: in DB → rendered for many users (forum post). DOM-based: client-side JS reads attacker-controlled value and inserts into DOM. Defense: React/Vue/Svelte escape by default. Use `dangerouslySetInnerHTML` ONLY with sanitized HTML (DOMPurify). Set CSP header to block inline scripts.
Attacker tricks the user's browser into making an authenticated request to your site (the browser auto-attaches cookies). Defense: SameSite cookies (default Lax in modern browsers blocks cross-origin POSTs), CSRF tokens, or Origin header checks. LastWrite's middleware enforces Origin check on every mutation, see src/proxy.ts.
Less common but devastating. Read this twice.
// Unsafe mergefunction merge(target, source) {for (const key in source) {if (typeof source[key] === "object") {merge(target[key] = target[key] || {}, source[key]);} else {target[key] = source[key];}}}// Attacker sends JSON:const evil = JSON.parse('{"__proto__":{"admin":true}}');merge({}, evil);// Now EVERY object inherits .admin = true (via Object.prototype)console.log({}.admin); // true// Defense: Object.freeze(Object.prototype); use safe libraries (lodash 4.17.21+); validate keys.
Run on every install; pair with Dependabot.
npm audit # shows known vulns in dependenciesnpm audit --omit=dev # production onlynpm audit fix # auto-fix (within semver range)npm audit fix --force # force upgrade, read the diff first# Filter by severitynpm audit --audit-level=high# In CI:# - run: npm audit --audit-level=critical# Combine with Dependabot for automated PRs on new vulns.# Snyk + GitHub Advanced Security give richer info; paid but worth it at scale.
Using `eval` or `new Function` on user input. Always wrong. Trusting JSON.parse blindly without validating shape. Use Zod. Storing JWT in localStorage. XSS = token theft. Use httpOnly cookies. Ignoring npm audit. CVEs accumulate; one of them eventually hits production.
Pick the security reason.
Sign in and purchase access to unlock this lesson.