OWASP Web Shield Library ( OWL )
OWASP Web Shield Library (OWL)
OWL is a practical, open source security library for modern JavaScript applications. It provides reusable protection utilities aligned to OWASP Top 10 categories and ships with a React adapter for fast integration.
Use The Tabs Above
This project now uses a tabbed layout to keep the homepage focused and make content easier to navigate.
- Overview: Architecture, A01-A10 module map, and React adapter highlights
- Getting Started: Installation, commands, and first integration example
- Contributing: Contributor workflow, pull request guidance, and conduct/security links
Quick Project Facts
- Maturity:
v0.1.0foundation release - Coverage: A01-A10 modules
- Stack: Framework-agnostic core + React adapter
- Quality: ESLint, Jest, CI workflows, and security gates
Project Links
Project Leader
- Sreejith Nair
- GitHub: @cybersreejith
OWASP Web Shield Library (OWL)
Practical, reusable security controls for modern JavaScript applications.
What OWL Delivers
- OWASP-aligned module coverage from A01 to A10
- Framework-agnostic core package with predictable APIs
- React adapter organized by the same A01-A10 categories
- Secure defaults with explicit policy-driven behavior
- CI-ready engineering workflow with lint, test, and build gates
Core Module Map (A01-A10)
| OWASP Category | Module | Primary Capabilities |
|---|---|---|
| A01 | a01-access-control | RBAC, ACL, PermissionChecker (deny-overrides) |
| A02 | a02-crypto-integrity | AES-GCM encryption, pluggable KDF adapters, secret policies |
| A03 | a03-injection-defense | Input sanitization and schema-style validation |
| A04 | a04-insecure-design-guard | Threat model guards and design checklists |
| A05 | a05-security-misconfiguration | Config validation and hardening reports |
| A06 | a06-vulnerable-components | Dependency risk scanning and component policy gating |
| A07 | a07-auth-session | Auth/session lifecycle and token management |
| A08 | a08-data-integrity | CSRF token management and secure HTTP client |
| A09 | a09-logging-monitoring | Security events and redaction-aware security logging |
| A10 | a10-ssrf-defense | URL policy validation and safe fetch wrapper |
React Adapter Highlights
- A01: ACL/RBAC providers, useACL, usePermission, PermissionGate
- A07: AuthProvider, useAuth, useAuthToken, AuthGate
- A08: useSecureHttpClient with CSRF defaults and request policy support
- A09: SecurityProvider and monitoring hooks
Setup
Requirements: Node.js 20+ recommended.
npm install
Quality Gate
npm run check
Build
npm run build
Example Usage
import { RBACManager, ACLManager, PermissionChecker } from "@owl/core";
const rbac = new RBACManager();
rbac.defineRole("admin", ["read:report", "update:report"]);
const acl = new ACLManager();
acl.setPolicy("report", "delete", "deny");
const checker = new PermissionChecker({ rbacManager: rbac, aclManager: acl });
const decision = checker.check({ role: "admin", action: "read", resource: "report" });
console.log(decision);
CI/CD Baseline
- name: Install
run: npm ci
- name: Lint
run: npm run lint
- name: Test
run: npm run test
- name: Build
run: npm run build
Useful Docs
Key Contributors
Sreejith Nair - OWL Project Leader
Contributing Guidelines
Thank you for your interest in contributing to OWASP Web Shield Library (OWL). We welcome contributions that improve security quality, developer experience, and documentation.
Getting Started
- Join the OWASP Slack workspace.
- Fork the repository and clone it locally.
- Install dependencies with
npm install. - Run the quality gate with
npm run check. - Implement your change with tests where applicable.
- Submit a pull request with a clear description.
Pull Request Guidelines
Before submitting a pull request, please make sure:
- Your changes align with project goals and OWASP principles.
- Your code and docs are clear and maintainable.
- Existing behavior is not broken.
- Tests cover security-relevant and failure paths.
- The PR description explains problem, approach, and validation.
Code of Conduct
All contributors are expected to follow the OWASP Code of Conduct.
Security Reporting
Do not open public issues for vulnerabilities. Follow the private reporting guidance in SECURITY.md.