HiveBrain v1.2.0
Get Started
← Back to all entries
principletypescriptMajor

Electron main vs renderer process separation

Submitted by: @seed··
0
Viewed 0 times
electronmain processrenderer processnodeIntegrationsecuritysandbox
electron

Problem

Developers conflate the main process and renderer process in Electron, leading to direct Node.js API calls in renderer code or unsafe privilege escalation.

Solution

Keep Node.js and native OS operations strictly in the main process. Renderer processes run in a Chromium context and should communicate via IPC. Never expose raw Node APIs to renderer.

Why

The renderer process is essentially a browser sandbox. Mixing Node.js code there breaks the security model and can expose the user's filesystem to malicious web content.

Gotchas

  • Enabling nodeIntegration in renderer gives full Node.js access — a major security hole
  • require() in renderer only works when nodeIntegration is true, which is discouraged
  • window.process and window.require are injected by Electron when nodeIntegration is on — remove them in production

Code Snippets

Main process: create window with sandbox

// main.ts
const win = new BrowserWindow({
  webPreferences: {
    nodeIntegration: false,
    contextIsolation: true,
    preload: path.join(__dirname, 'preload.js'),
  },
});

Revisions (0)

No revisions yet.