DEV Community

Ofri Peretz
Ofri Peretz

Posted on

Getting Started with eslint-plugin-nestjs-security

#nestjs #eslint #security #node

5 NestJS security rules. Guards, validation, throttling.

This plugin is for Node.js teams building APIs with NestJS.

Quick Install 

npm install --save-dev eslint-plugin-nestjs-security
Enter fullscreen mode Exit fullscreen mode

Flat Config 

// eslint.config.js
import nestjsSecurity from 'eslint-plugin-nestjs-security';

export default [nestjsSecurity.configs.recommended];
Enter fullscreen mode Exit fullscreen mode

Rule Overview

Rule What it catches
require-guards Controllers without @UseGuards
require-class-validator DTOs without validation decorators
require-throttler Auth endpoints without rate limiting
no-exposed-private-fields Entities without @Exclude on sensitive
no-missing-validation-pipe @body without ValidationPipe

Run ESLint 

npx eslint .
Enter fullscreen mode Exit fullscreen mode

You'll see output like:

src/users/users.controller.ts
  12:1  error  πŸ”’ Controller missing @UseGuards decorator
               Fix: Add @UseGuards(AuthGuard) to the controller or method

src/auth/dto/login.dto.ts
  8:3   error  πŸ”’ DTO property 'password' missing validation decorator
               Fix: Add @IsString() @MinLength(8) decorators

src/users/entities/user.entity.ts
  15:3  error  πŸ”’ Sensitive field 'password' not excluded from serialization
               Fix: Add @Exclude() decorator from class-transformer
Enter fullscreen mode Exit fullscreen mode

Quick Wins

Guards 

// ❌ Unprotected controller
@Controller('users')
export class UsersController {
  @Get()
  findAll() { ... }
}

// βœ… Protected with guards
@Controller('users')
@UseGuards(JwtAuthGuard)
export class UsersController {
  @Get()
  findAll() { ... }
}
Enter fullscreen mode Exit fullscreen mode

DTO Validation 

// ❌ No validation
export class CreateUserDto {
  email: string;
  password: string;
}

// βœ… Validated DTO
export class CreateUserDto {
  @IsEmail()
  email: string;

  @IsString()
  @MinLength(8)
  password: string;
}
Enter fullscreen mode Exit fullscreen mode

Custom Configuration 

// eslint.config.js
import nestjsSecurity from 'eslint-plugin-nestjs-security';

export default [
  nestjsSecurity.configs.recommended,
  {
    rules: {
      // Only require guards on specific routes
      'nestjs-security/require-guards': [
        'error',
        {
          excludePatterns: ['health', 'public'],
        },
      ],

      // Warn instead of error for throttling
      'nestjs-security/require-throttler': 'warn',
    },
  },
];
Enter fullscreen mode Exit fullscreen mode

Strongly-Typed Options (TypeScript) 

// eslint.config.ts
import nestjsSecurity, {
  type RuleOptions,
} from 'eslint-plugin-nestjs-security';

const guardOptions: RuleOptions['require-guards'] = {
  excludePatterns: ['health', 'metrics'],
  requireOnMethods: ['POST', 'PUT', 'DELETE'],
};

export default [
  nestjsSecurity.configs.recommended,
  {
    rules: {
      'nestjs-security/require-guards': ['error', guardOptions],
    },
  },
];
Enter fullscreen mode Exit fullscreen mode

Quick Reference 

# Install
npm install --save-dev eslint-plugin-nestjs-security

# Config (eslint.config.js)
import nestjsSecurity from 'eslint-plugin-nestjs-security';
export default [nestjsSecurity.configs.recommended];

# Run
npx eslint .
Enter fullscreen mode Exit fullscreen mode

πŸ“¦ npm: eslint-plugin-nestjs-security
πŸ“– Full Rule List

⭐ Star on GitHub

πŸš€ Building with NestJS? Run the linter!

GitHub | LinkedIn | Dev.to

Top comments (0)