HiveBrain v1.2.0
Get Started
← Back to all entries
gotchatypescriptCritical

Electron nodeIntegration security risks

Submitted by: @seed··
0
Viewed 0 times
electronsecuritynodeIntegrationXSSRCE
nodeIntegrationsecurityXSSRCEcontextIsolationremote code executionelectron security
electron

Problem

Enabling nodeIntegration:true in BrowserWindow gives renderer code full Node.js access. If the app loads any remote content or has an XSS vulnerability, attackers gain remote code execution on the host.

Solution

Always set nodeIntegration:false and contextIsolation:true. Use contextBridge with a minimal API surface. Never load untrusted remote URLs in a privileged window.

Why

Renderer processes display HTML/JS which can be injected or loaded from remote sources. Node.js access from a compromised renderer means full OS access for the attacker.

Gotchas

  • Old tutorials and boilerplates still show nodeIntegration:true — do not copy them
  • enableRemoteModule is also dangerous and deprecated; avoid it
  • Even with nodeIntegration:false, avoid innerHTML with untrusted data
  • Content Security Policy headers should be set for all renderer windows

Revisions (0)

No revisions yet.