awesome-secure-defaults

December 4, 2025View on GitHub

tl;dr sec Newsletter


LibraryDescriptionLanguage(s)CategoryMetadata
helmetjs/helmetHelmet helps secure Express apps by setting HTTP response headers.NodeJSHeadersstars last-commit
github/secure_headersManages application of security headers with many safe defaultsRubyHeadersstars last-commit
arkadiyt/ssrf_filterA ruby gem for defending against Server Side Request Forgery (SSRF) attacksRubySSRFstars last-commit
google/tink-cryptoA multi-language, cross-platform library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse.Java, C++, Go, Python, Obj-CCryptographystars last-commit
cure53/DOMPurifyA DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVGJavaScriptHTML Sanitizer (XSS prevention)stars last-commit
mozilla/bleachAn allowed-list-based HTML sanitizing library that escapes or strips markup and attributesPythonHTML Sanitizer (XSS prevention)stars last-commit
pallets/markupsafeSafely add untrusted strings to HTML/XML markup.PythonHTML Sanitizer (XSS prevention)stars last-commit
symfony/html-sanitizerProvides an object-oriented API to sanitize untrusted HTML input for safe insertion into a document's DOM.PHPHTML Sanitizer (XSS prevention)stars last-commit
null8626/decancerA tiny package that removes common unicode confusables/homoglyphs from strings.Rust,JavaScript (Node.js/Browser),C/C++,Java,Python (unofficial)Input Sanitizationstars last-commit
davisjam/safe-regexDetect possibly catastrophic, exponential-time regular expressionsJavaScriptRegexstars last-commit
ikkisoft/SerialKillerLook-Ahead Java Deserialization LibraryJavaDeserializationstars last-commit
paragonie/anti-csrfFull-Featured Anti-CSRF LibraryPHPCSRFstars last-commit
paragonie/constant_time_encodingCharacter encoding functions that do not leak information about what you are encoding/decoding via processor cache missesPHPInformation Leakagestars last-commit
paragonie/haliteHigh-level cryptography interface powered by libsodiumPHPCryptographystars last-commit
paragonie/ionizerInput Filter System for PHP SoftwarePHPInput Filterationstars last-commit
paragonie/password_lockWraps Bcrypt-SHA2 in Authenticated EncryptionPHPCryptographystars last-commit
jvoisin/snuffleupagusSecurity module for php7 and php8 - Killing bugclasses and virtual-patching the rest!PHPMiscstars last-commit
BePsvPT/secure-headersPHP Secure HeadersPHPHeadersstars last-commit
gorilla/csrfCross Site Request Forgery (CSRF) prevention middleware for Go web applications & services 馃敀GolangCSRFstars last-commit
justinas/nosurfCSRF protection middleware for Go.GolangCSRFstars last-commit
sdsdkkk/safe_redirectKeep Rails apps safe from open redirectsRuby on RailsOpen Redirectstars last-commit
Shopify/redirect_safelySanitize redirect_to URLsRubyOpen Redirectstars last-commit
Trendyol/safe-redirectLibrary which resolves open-redirection vulnerability when we need to make redirection to a path taken from query string.TypeScriptOpen Redirectstars last-commit
gorilla/securecookieEncodes and decodes authenticated and optionally encrypted cookie values for Go web applicationsGolangCookieJarstars last-commit
google/safevaluesPrevent Cross-Site Scripting vulnerabilities in TypeScript (and JavaScript). It is meant to be used together with tsec to provide strong security guarantees and help you deploy Trusted Types and other CSP restrictions in your applicationsTypeScriptXSSstars last-commit
google/wuffsParsing, decoding and encoding Untrusted File Formats SafelyCFile Handlingstars last-commit
google/safeopenSafe-by-construction library with file open/create primitives for Golang that are not vulnerable to path traversal attacksGolangPath Traversalstars last-commit
google/safe-active-recordA security middleware to defend against SQL injection in Ruby on Rails Active Record.RubySQListars last-commit
google/safetextSafe-by-construction libraries for producing formats like YAMLGolangInjectionstars last-commit
google/safehtmlImmutable string-like types that wrap web types such as HTML, JavaScript and CSS. These wrappers are safe by construction against XSS and similar web vulnerabilitiesGolangXSS, etc.stars last-commit
google/securemessageA portable crypto library that exposes a restricted API that is secure by design, for use as a black-box building block in cryptographic protocolsC++Cryptographystars last-commit
google/re2A fast, safe, thread-friendly alternative to backtracking regular expression enginesC++Regexstars last-commit
google/safearchiveSafe-by-construction libraries for processing tar and zip archives, to replace unsafe alternatives like archive/tar and archive/zip that are at risk of path traversal attacks. Besides crafted filename entries in the archive, this library also protects from symbolic link attacks.GolangZip Handlingstars last-commit
google/go-safewebA collection of libraries for writing secure-by-default HTTP servers in Go.GolangXSS, XSRFstars last-commit
doyensec/safeurlImplements a safeurl.Client wrapper around Go's native net/http.Client and performs validation on the incoming request against the configured allow and block lists. It also implements mitigation for DNS rebinding attacks.GolangSSRFstars last-commit
mustache/mustacheLogic-less Ruby templates.RubyTemplatingstars last-commit
Shopify/liquidSafe, customer facing template language for flexible web apps.RubyTemplatingstars last-commit
handlebars-lang/handlebars.jsMinimal templating on steroids.JavaScriptTemplatingstars last-commit
salesforce/handlebars-phpA simple, logic-less, yet powerful templating engine for PHP.PHPTemplatingstars last-commit
huggingface/safetensorsThis repository implements a new simple format for storing tensors safely (as opposed to pickle) and that is still fast (zero-copy).PythonPacking/Unpackingstars last-commit
cloudflare/svg-hushMake arbitrary SVG files as benign and safe to serve as images in other common Web file formatsRustSVGstars last-commit
tiran/defusedxmlPython-only workarounds and fixes for denial of service and other vulnerabilities in Python's XML librariesPythonXXEstars last-commit
nahsra/antisamya library for performing fast, configurable cleansing of HTML coming from untrusted sourcesJavaInjectionstars last-commit
OWASP/www-project-csrfguardThe aim of this project is to protect Java applications against CSRF attacks with the use of Synchronizer TokensJavaCSRFstars last-commit
y-mehta/ssrf-req-filterModule to prevent SSRF when sending requests in NodeJS. Blocks request to local and private IP addressesNodeJSSSRFstars last-commit
segmentio/ui-box's safeHrefAllowlists safe protocols and sets rel valuesTypeScriptXSSstars last-commit
vvo/iron-session馃洜 Secure, stateless, and cookie-based session libraryJavaScriptCookieJarstars last-commit
cossacklabs/themisEasy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms.iOS (Swift, Obj-C), Android (Java, Kotlin), React Native (iOS, Android), desktop Java, 小/小++, Node.js, Python, Ruby, PHP, Go, Rust, WASMCryptographystars last-commit
aws/http-desync-guardianAnalyze HTTP requests to minimize risks of HTTP Desync attacks (precursor for HTTP request smuggling/splitting).RustHTTP Desyncstars last-commit
rust-ammonia/ammoniaRepair and secure untrusted HTMLRustHTML Sanitizer (XSS prevention)stars last-commit
techgaun/plug_secexAdds various HTTP Headers to make Phoenix/Elixir app more secureElixirHeadersstars last-commit
TypeError/secureSecure 馃敀 headers for Python web frameworksPythonHeadersstars last-commit
unrolled/secureHTTP middleware for Go that facilitates some quick security wins.GolangMultiplestars last-commit
juunas11/aspnetcore-security-headersMiddleware for adding security headers to an ASP.NET Core application..NETHeadersstars last-commit
andrewlock/NetEscapades...SecurityHeadersSmall package to allow adding security headers to ASP.NET Core websites.NETHeadersstars last-commit
GaProgMan/OwaspHeaders.CoreA .NET Core middleware for injecting the Owasp recommended HTTP Headers for increased security.NETHeadersstars last-commit
mganss/HtmlSanitizerCleans HTML to avoid XSS attacks.NETHTML Sanitizer (XSS prevention)stars last-commit
Escape/GraphQL-ArmorHighly customizable security middleware for various GraphQL server engines.Apollo Server, GraphQL Yoga, GraphQL-Helix, Node.js HTTP, GraphQL-Helix,GraphQL-WS, GraphQL-SSE, Azure Functions, Cloudflare Workers, Google Cloud Functions, Lambda AWS, type-graphql, nexus, express-graphqlMultiplestars last-commit
microcosm-cc/bluemondaya fast golang HTML sanitizer (inspired by the OWASP Java HTML Sanitizer) to scrub user generated content of XSSGolangHTML Sanitizer (XSS prevention)stars last-commit
gradio-app/safehttpxPython library to prevent SSRF through wrapper around httpx.AsyncClient.get()PythonSSRFstars last-commit
realArcherL/is-path-inside-secureSecurely verifies path containment, resolves symlinks, confirms file existence, and prevents path traversal attacks.JavaScriptPath Traversalstars last-commit
opengovsg/starter-kitty validatorsPath, Email, and URL validatorsJavaScriptMultiplestars last-commit
opengovsg/starter-kitty safe-fsPrevents path traversalJavaScriptPath Traversalstars last-commit
realArcherL/realArcherL/spotlighting-datamarkingSpotlighting defenses (delimiter, datamarking and base64-encoding).TypescriptPrompt Injectionstars last-commit

Infrastructure Security

LibraryDescriptionLanguage(s)CategoryMetadata
HardenedBSDHardened fork of FreeBSD with extra exploit mitigations and security hardening technologiesC, C++, Shell, OtherOS / ecosystemstars last-commit
GoogleContainerTools/distroless馃 Language focused docker images, minus the operating system.DockerContainersstars last-commit
chainguard-images/imagesChainguard Images is a collection of container images designed for minimalism and security.DockerContainersstars last-commit
step-security/harden-runnerNetwork egress filtering and runtime security for GitHub-hosted and self-hosted runnersGithub ActionsCI/CDstars last-commit

Template

| [TKTK](https://github.com/TKTK) | TKTK | TKTK | TKTK |[![stars](https://badgen.net/github/stars/TKTK)](https://badgen.net/github/stars/TKTK) [![last-commit](https://badgen.net/github/last-commit/TKTK)](https://badgen.net/github/last-commit/TKTK) 

References