/web-app-security-libraries

This repository gives you the knowledge and resources to build secure and resilient web applications.

Secure Coding: Security Libraries for Web Development

This repository contains a curated list of security libraries for various programming languages commonly used in web application and API development.

Table of Contents

Golang

  • authelia: Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for your applications via a web portal. It acts as a companion for reverse proxies by allowing, denying, or redirecting requests.
  • casbin: An authorization library that supports access.
  • caswaf: HTTP & OAuth Gateway and Web Application Firewall (WAF) based on ModSecurity.
  • coraza: OWASP Coraza WAF is a golang modsecurity compatible web application firewall library .
  • crypto: Standard cryptographic functions for Go. control models like ACL, RBAC, and ABAC.
  • go-password-validator: Validate the Strength of a Password in Go.
  • gorilla/csrf: is a HTTP middleware library that provides cross-site request forgery (CSRF) protection.
  • jwt-go: JSON Web Tokens (JWT) implementation for Go.
  • secure: HTTP middleware for Go that facilitates some quick security wins.

Java

  • apache shiro: A versatile security framework for Java applications, providing authentication, authorization, cryptography, and session management.
  • bouncy castle: A cryptographic library for Java that provides APIs for various cryptographic operations.
  • owasp java html sanitizer: A library to help prevent Cross-Site Scripting (XSS) attacks.
  • spring security: A powerful and highly customizable authentication and access control framework for Java applications.

Node.js

  • bcrypt: A library for hashing passwords in Node.js applications.
  • Helmet: A collection of middleware to help secure Express apps by setting various HTTP headers.
  • jsonwebtoken: JSON Web Token (JWT) implementation for Node.js.
  • node-rate-limiter-flexible: counts and limits number of actions by key and protects from DDoS and brute force attacks at any scale
  • passport: Passport is authentication middleware for Node.js. Extremely flexible and modular, Passport can be unobtrusively dropped in to any Express-based web application.
  • validator: A library of string validators and sanitizers.

PHP

  • HTML Purifier: HTML Purifier is an HTML filtering solution that uses a unique combination of robust whitelists and aggressive parsing to ensure that not only are XSS attacks thwarted, but the resulting HTML is standards compliant.
  • Laravel Sanctum: A simple package for API token authentication in Laravel PHP applications.
  • League/OAuth2-Server: is a standards compliant implementation of an OAuth 2.0 authorization server written in PHP which makes working with OAuth 2.0 trivial.
  • paragonie/random_compat: A compatibility library providing random_bytes() and random_int() for older PHP versions.
  • Parsedown: Parsedown is capable of escaping user-input within the HTML that it generates.
  • PHP Encryption: A PHP Secure Communications Library providing basic RSA, DSA, and SSH-2 functionality.
  • Security Component - Core: Security provides an infrastructure for sophisticated authorization systems, which makes it possible to easily separate the actual authorization logic from so called user providers that hold the users credentials.
  • Security Component - CSRF: The Security CSRF (cross-site request forgery) component provides a class CsrfTokenManager for generating and validating CSRF tokens.
  • Security Component - Guard: The Guard component brings many layers of authentication together, making it much easier to create complex authentication systems where you have total control.

.NET

  • ASP.NET Core Identity: A membership system for building secure ASP.NET Core web applications, providing user authentication, authorization, and account management.
  • Microsoft.AspNetCore.DataProtection: Data protection APIs for protecting and unprotecting data.
  • NWebsec: Helps you set important security headers and detect potentially dangerous redirects.
  • System.Security.Cryptography: Provides cryptographic services, including secure encoding and decoding of data, as well as many other operations, such as hashing, random number generation, and message authentication.

Ruby

  • Devise: A flexible authentication solution for Ruby on Rails.
  • sinatra/rack-protection: Middleware for protecting against common web attacks (XSS, CSRF, Clickjacking, Directory Traversal, Session Hijacking and IP Spoofing)
  • nokogiri: Securely parses HTML and XML.
  • Bycrypt: A library for hashing passwords securely using the bcrypt algorithm in Ruby.

Python

  • OWASP Python Security Project: A collection of Python security-related tools and libraries.
  • django-allauth: A Django authentication library providing support for various authentication methods, including social authentication.
  • cryptography: A Python library providing cryptographic recipes and primitives.