{"id":18454347,"url":"https://github.com/1password/electron-secure-defaults","last_synced_at":"2025-04-08T03:36:03.503Z","repository":{"id":53348575,"uuid":"360981855","full_name":"1Password/electron-secure-defaults","owner":"1Password","description":"Starter kit and documentation for building security conscious Electron apps","archived":false,"fork":false,"pushed_at":"2023-03-18T18:22:32.000Z","size":139,"stargazers_count":75,"open_issues_count":0,"forks_count":3,"subscribers_count":6,"default_branch":"main","last_synced_at":"2024-04-16T00:17:36.333Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/1Password.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-04-23T19:08:17.000Z","updated_at":"2024-04-05T07:54:01.000Z","dependencies_parsed_at":"2022-09-11T07:00:16.404Z","dependency_job_id":null,"html_url":"https://github.com/1Password/electron-secure-defaults","commit_stats":null,"previous_names":[],"tags_count":0,"template":true,"template_full_name":"electron/electron-quick-start-typescript","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/1Password%2Felectron-secure-defaults","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/1Password%2Felectron-secure-defaults/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/1Password%2Felectron-secure-defaults/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/1Password%2Felectron-secure-defaults/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/1Password","download_url":"https://codeload.github.com/1Password/electron-secure-defaults/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":223303757,"owners_count":17123097,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-06T08:03:53.859Z","updated_at":"2024-11-06T08:03:55.001Z","avatar_url":"https://github.com/1Password.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# electron-secure-defaults\n\nThis is a security-enhanced fork of [electron-quick-start-typescript](https://github.com/electron/electron-quick-start-typescript). It can be used as a starter kit for a new Electron app, or as an annotated resource for anyone looking to improve an existing project.\n\nThe configuration in this repository is used in conjunction with [electron-hardener](https://github.com/1password/electron-hardener) to provide a secure frontend foundation for the [1Password](https://1password.com) desktop app.\n\n## Usage\n\nBuild and run the quick start demo with `npm install \u0026\u0026 npm start`. For more information, see [electron-quick-start-typescript](https://github.com/electron/electron-quick-start-typescript).\n\n[Electronegativity](https://github.com/doyensec/electronegativity) is included and configured for the codebase. Run `npm run electronegativity` to check for vulnerabilities.\n\n## Security Design\n\nThe decisions made in this repository are informed by a number of sources:\n\n- [Electron security checklist](https://www.electronjs.org/docs/tutorial/security#checklist-security-recommendations)\n- [Electronegativity](https://github.com/doyensec/electronegativity)\n- Regular internal security audits and reviews at 1Password\n\nSettings are chosen for their applicability to the security and privacy design of the 1Password desktop app. We believe these are reasonable defaults for other modern apps, but it is your responsibility to understand the security goals of your application and the expectations of your users.\n\nSecurity-sensitive code in the repository is annotated by `// SECURITY:`. Inline links are provided to the relevant sections below.\n\n## Electron security checklist\n\nThis project tracks the official Electron [security checklist](https://www.electronjs.org/docs/tutorial/security#checklist-security-recommendations). Current implementation status for each rule is given below.\n\n\u003ca name=\"rule-1\"\u003e\u003c/a\u003e\n\n### 1. Only load secure content\n\nRule: https://www.electronjs.org/docs/tutorial/security#1-only-load-secure-content\n\nStatus: ✅\n\nThe app loads its executable code from `file://` URIs within the bundle. Remote URLs must be HTTPs and must be declared in the CSP.\n\n\u003ca name=\"rule-2\"\u003e\u003c/a\u003e\n\n### 2. Do not enable Node.js integration for remote content\n\nRule: https://www.electronjs.org/docs/tutorial/security#2-do-not-enable-nodejs-integration-for-remote-content\n\nStatus: ✅\n\nDisabled by default in modern versions of Electron. Remains explicitly disabled for the the browser window.\n\n\u003ca name=\"rule-3\"\u003e\u003c/a\u003e\n\n### 3. Enable context isolation for remote content\n\nRule: https://www.electronjs.org/docs/tutorial/security#3-enable-context-isolation-for-remote-content\n\nStatus: ✅\n\nEnabled by default in Electron 12. Remains explicitly enabled for the browser window.\n\nA limited API is provided to the renderer process over the `ContextBridge`.\n\n\u003ca name=\"rule-4\"\u003e\u003c/a\u003e\n\n### 4. Handle session permission requests from remote content\n\nRule: https://www.electronjs.org/docs/tutorial/security#4-handle-session-permission-requests-from-remote-content\n\nStatus: ✅\n\nAll permission requests on the session are denied.\n\n\u003ca name=\"rule-5\"\u003e\u003c/a\u003e\n\n### 5. Do not disable WebSecurity\n\nRule: https://www.electronjs.org/docs/tutorial/security#5-do-not-disable-websecurity\n\nStatus: ✅\n\nEnabled by default.\n\n\u003ca name=\"rule-6\"\u003e\u003c/a\u003e\n\n### 6. Define a Content Security Policy\n\nRule: https://www.electronjs.org/docs/tutorial/security#6-define-a-content-security-policy\n\nStatus: ✅\n\nA restrictive CSP is defined in the session HTTP header, which is the preferred method. It should be updated for the specific remote acess needs of the application.\n\n\u003ca name=\"rule-7\"\u003e\u003c/a\u003e\n\n### 7. Do not set `allowRunningInsecureContent` to `true`\n\nRule: https://www.electronjs.org/docs/tutorial/security#7-do-not-set-allowrunninginsecurecontent-to-true\n\nStatus: ✅\n\nDisabled by default.\n\n\u003ca name=\"rule-8\"\u003e\u003c/a\u003e\n\n### 8. Do not enable experimental features\n\nRule: https://www.electronjs.org/docs/tutorial/security#8-do-not-enable-experimental-features\n\nStatus: ✅\n\nDisabled by default.\n\n\u003ca name=\"rule-9\"\u003e\u003c/a\u003e\n\n### 9. Do not use `enableBlinkFeatures`\n\nRule: https://www.electronjs.org/docs/tutorial/security#9-do-not-use-enableblinkfeatures\n\nStatus: ✅\n\nDisabled by default.\n\n\u003ca name=\"rule-10\"\u003e\u003c/a\u003e\n\n### 10. Do not use `allowPopups`\n\nRule: https://www.electronjs.org/docs/tutorial/security#10-do-not-use-allowpopups\n\nStatus: ✅\n\nNot used by default.\n\n\u003ca name=\"rule-11\"\u003e\u003c/a\u003e\n\n### 11. Verify WebView options before creation\n\nRule: https://www.electronjs.org/docs/tutorial/security#11-verify-webview-options-before-creation\n\nStatus: ✅\n\nWebView creation is blocked in the main process.\n\n\u003ca name=\"rule-12\"\u003e\u003c/a\u003e\n\n### 12. Disable or limit navigation\n\nRule: https://www.electronjs.org/docs/tutorial/security#12-disable-or-limit-navigation\n\nStatus: ✅\n\nRenderer navigation is blocked in the main process.\n\n\u003ca name=\"rule-13\"\u003e\u003c/a\u003e\n\n### 13. Disable or limit creation of new windows\n\nRule: https://www.electronjs.org/docs/tutorial/security#13-disable-or-limit-creation-of-new-windows\n\nStatus: ✅\n\nNew window creation is blocked in the main process.\n\n\u003ca name=\"rule-14\"\u003e\u003c/a\u003e\n\n### 14. Do not use `openExternal` with untrusted content\n\nRule: https://www.electronjs.org/docs/tutorial/security#14-do-not-use-openexternal-with-untrusted-content.\n\nStatus: ✅\n\nNot used by default.\n\n\u003ca name=\"rule-15\"\u003e\u003c/a\u003e\n\n### 15. Use a current version of Electron\n\nRule: https://www.electronjs.org/docs/tutorial/security#17-use-a-current-version-of-electron\n\nStatus: ✅\n\nElectron 12.x is the current stable release.\n\n## Additional security measures\n\nThe following features are also configured in this repository.\n\n\u003ca name=\"disable-remote\"\u003e\u003c/a\u003e\n\n### Disable the Remote module\n\nThe `remote` module was disabled by default in Electron 10, and was deprecated in Electron 12. It remains explicitly disabled for the browser window.\n\nLearn more: [remote](https://www.electronjs.org/docs/api/remote).\n\n\u003ca name=\"sandbox\"\u003e\u003c/a\u003e\n\n### Sandbox the renderer process\n\nThe `sandbox` option prevents the renderer process from accessing Node or Electron APIs. It is enabled globally as well as in for browser window.\n\nLearn more: https://www.electronjs.org/docs/api/sandbox-option.\n\n\u003ca name=\"disable-new-window\"\u003e\u003c/a\u003e\n\n### Further prevent new window creation\n\nThe (recently deprecated) `new-window` event does not always prevent windows from being opened. The app uses `disableBlinkFeatures: \"Auxclick\"` and the new `setWindowOpenHandler` to prevent further instances.\n\nLearn more: https://www.electronjs.org/docs/api/window-open.\n\n\u003ca name=\"disable-session-cache\"\u003e\u003c/a\u003e\n\n### Disable the session cache\n\nA custom `Session` object is used instead of using the default session. The session is persistent, but its cache is disabled to prevent network resources from being saved to disk automatically. This is especially important on Windows, where Electron saves its user data to `%AppData%\\Roaming`.\n\nThe session can be made more private by removing the `persist:` prefix from the partition, in which case nothing will be written to disk, including `localStorage`. The user experience would then be similar to using Chrome in Incognito mode.\n\nLearn more: https://www.electronjs.org/docs/api/session#sessionfrompartitionpartition-options.\n\n### Restrict dev tools access in the packaged app\n\nEasy access to the web inspector is necessary during development, but it can be used as an attack vector in production. Users can be tricked into executing code which would expose their personal information or compromise the functionality of the app. To prevent this from happening, dev tools access is disabled in the packaged app.\n\n### Use `strict` TypeScript setting\n\nThe `strict` setting in `tsconfig.json` enforces correct code and prevents JavaScript errors at runtime.\n\n## Disclaimer\n\nAll code and documentation in this repository is intended for educational purposes, and is provided as-is. Use at your own risk. 1Password and contributors are not responsible for data loss, security incidents, or other damages incurred through the use of this software, or through the application of any advice provided in the documentation.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F1password%2Felectron-secure-defaults","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F1password%2Felectron-secure-defaults","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F1password%2Felectron-secure-defaults/lists"}