OWASP Web Shield Library ( OWL )

OWASP Web Shield Library (OWL)

OWL is a practical, open source security library for modern JavaScript applications. It provides reusable protection utilities aligned to OWASP Top 10 categories and ships with a React adapter for fast integration.

Use The Tabs Above

This project now uses a tabbed layout to keep the homepage focused and make content easier to navigate.

  • Overview: Architecture, A01-A10 module map, and React adapter highlights
  • Getting Started: Installation, commands, and first integration example
  • Contributing: Contributor workflow, pull request guidance, and conduct/security links

Quick Project Facts

  • Maturity: v0.1.0 foundation release
  • Coverage: A01-A10 modules
  • Stack: Framework-agnostic core + React adapter
  • Quality: ESLint, Jest, CI workflows, and security gates

Project Leader


OWASP Web Shield Library (OWL)

Practical, reusable security controls for modern JavaScript applications.

What OWL Delivers

  • OWASP-aligned module coverage from A01 to A10
  • Framework-agnostic core package with predictable APIs
  • React adapter organized by the same A01-A10 categories
  • Secure defaults with explicit policy-driven behavior
  • CI-ready engineering workflow with lint, test, and build gates

Core Module Map (A01-A10)

OWASP Category Module Primary Capabilities
A01 a01-access-control RBAC, ACL, PermissionChecker (deny-overrides)
A02 a02-crypto-integrity AES-GCM encryption, pluggable KDF adapters, secret policies
A03 a03-injection-defense Input sanitization and schema-style validation
A04 a04-insecure-design-guard Threat model guards and design checklists
A05 a05-security-misconfiguration Config validation and hardening reports
A06 a06-vulnerable-components Dependency risk scanning and component policy gating
A07 a07-auth-session Auth/session lifecycle and token management
A08 a08-data-integrity CSRF token management and secure HTTP client
A09 a09-logging-monitoring Security events and redaction-aware security logging
A10 a10-ssrf-defense URL policy validation and safe fetch wrapper

React Adapter Highlights

  • A01: ACL/RBAC providers, useACL, usePermission, PermissionGate
  • A07: AuthProvider, useAuth, useAuthToken, AuthGate
  • A08: useSecureHttpClient with CSRF defaults and request policy support
  • A09: SecurityProvider and monitoring hooks

Setup

Requirements: Node.js 20+ recommended.

npm install

Quality Gate

npm run check

Build

npm run build

Example Usage

import { RBACManager, ACLManager, PermissionChecker } from "@owl/core";

const rbac = new RBACManager();
rbac.defineRole("admin", ["read:report", "update:report"]);

const acl = new ACLManager();
acl.setPolicy("report", "delete", "deny");

const checker = new PermissionChecker({ rbacManager: rbac, aclManager: acl });
const decision = checker.check({ role: "admin", action: "read", resource: "report" });
console.log(decision);

CI/CD Baseline

- name: Install
  run: npm ci

- name: Lint
  run: npm run lint

- name: Test
  run: npm run test

- name: Build
  run: npm run build

Useful Docs


Key Contributors

Sreejith Nair - OWL Project Leader

Contributing Guidelines

Thank you for your interest in contributing to OWASP Web Shield Library (OWL). We welcome contributions that improve security quality, developer experience, and documentation.

Getting Started

  1. Join the OWASP Slack workspace.
  2. Fork the repository and clone it locally.
  3. Install dependencies with npm install.
  4. Run the quality gate with npm run check.
  5. Implement your change with tests where applicable.
  6. Submit a pull request with a clear description.

Pull Request Guidelines

Before submitting a pull request, please make sure:

  1. Your changes align with project goals and OWASP principles.
  2. Your code and docs are clear and maintainable.
  3. Existing behavior is not broken.
  4. Tests cover security-relevant and failure paths.
  5. The PR description explains problem, approach, and validation.

Code of Conduct

All contributors are expected to follow the OWASP Code of Conduct.

Security Reporting

Do not open public issues for vulnerabilities. Follow the private reporting guidance in SECURITY.md.