Introduction
Security is no longer optional in API development. As of March 2026, Node.js has introduced significant changes to its permission model that every API developer needs to understand. These changes give you finer control over what your API can access — and more importantly, what it cannot.
Here are 5 permission model changes you need to know:
1. Explicit Symlink Permissions Required
In 2026, Node.js requires explicit read and write permissions when working with symlink-based APIs. This is a game-changer for APIs that process file uploads or work with symbolic links.
// Before (2025) - just worked
const fs = require('fs');
fs.readlinkSync('/path/to/symlink');
// Now requires explicit permission
node --allow-fs-read=/path/to/symlink server.js
Why it matters: Prevents accidental file system access to sensitive directories.
2. Network Permission Checks for Unix Domain Sockets
Unix Domain Socket connections now trigger network permission checks. This means your API needs explicit permissions to bind to sockets.
const http = require('http');
const server = http.createServer((req, res) => {
res.end('Hello');
});
// Now requires network permission
server.listen('/tmp/my.sock');
Run with: node --allow-net server.js
3. Granular File System Permissions
Forget the binary --allow-fs. In 2026, you can specify exact paths:
# Read-only access to specific directories
node --allow-fs-read=/app/data,/app/config server.js
# Write access to specific directories
node --allow-fs-write=/app/uploads server.js
This is perfect for APIs that only need access to specific directories.
4. Environment Variable Restrictions
APIs can now restrict environment variable access:
# Block sensitive env vars
node --allow-env=DATABASE_URL,API_KEY, SECRET_KEY server.js
# Or block all env
node --allow-env=false server.js
Pro tip: Combine with your API's config to prevent env leakage.
5. Child Process Permission Control
Running external commands from your API? Now you can restrict that too:
# Only allow specific commands
node --allow-child-process=git,curl server.js
# Block all child processes
node --allow-child-process=false server.js
Quick Reference
| Permission Flag | What It Controls |
|---|---|
--allow-fs-read |
File system read access |
--allow-fs-write |
File system write access |
--allow-net |
Network connections |
--allow-env |
Environment variables |
--allow-child-process |
Child process spawning |
Conclusion
Node.js 2026's permission model gives API developers fine-grained control over what their code can access. Start by running your API with minimal permissions and only add what you need. It's like defense in depth for your Node.js applications.
Ready to secure your APIs? Try these permission flags today and let us know in the comments what changes you've made!
Top comments (0)