Skip to content

TypeScript Security Snippets

Use these as starter shapes, not drop-in security guarantees.

1) Decode External Input At The Boundary

import { z } from 'zod';

const CreateOrderSchema = z.object({
  accountId: z.string().uuid(),
  amountCents: z.number().int().positive(),
  currency: z.enum(['USD', 'EUR']),
});

export type CreateOrderInput = z.infer<typeof CreateOrderSchema>;

export function decodeCreateOrder(input: unknown): CreateOrderInput {
  return CreateOrderSchema.parse(input);
}

2) Parameterized SQL Query

import type { Pool } from 'pg';

export async function loadOrder(pool: Pool, orderId: string, tenantId: string) {
  const result = await pool.query(
    `SELECT id, tenant_id, status, total_cents
     FROM orders
     WHERE id = $1 AND tenant_id = $2`,
    [orderId, tenantId],
  );

  return result.rows[0] ?? null;
}

3) SSRF Host Allowlist

const ALLOWED_HOSTS = new Set(['api.internal.example.com', 'assets.example.com']);

export function assertAllowedOutboundUrl(rawUrl: string): URL {
  const url = new URL(rawUrl);
  if (url.protocol !== 'https:' || !ALLOWED_HOSTS.has(url.hostname)) {
    throw new Error('Outbound URL is not allowed');
  }
  return url;
}

Verification Checklist

  • Validation errors return safe, structured client-facing messages.
  • Query surfaces tenant-scoped results only.
  • Outbound URL checks run before network calls.