Skip to content

Security model

tekivex-ui ships with a security kernel — SecurityCore — that runs on every component prop where untrusted data could leak. It’s not a plugin or an opt-in middleware. It’s the default.

sanitizeHref()

URL allow-list (http/https/mailto/tel). Blocks javascript: and data: URI XSS at the prop boundary.

sanitizeUnicode()

Strips homoglyph + bidi-override attacks (CVE-2021-42574). Cyrillic ‘а’ masquerading as Latin ‘a’ gets caught.

scrubPII()

Redacts emails, phone numbers, SSNs, credit cards before they hit your logs or analytics.

createRateLimiter()

Token-bucket implementation for client-side abuse prevention.

Trusted Types installer

One-line CSP hardening for the highest browser-level XSS protection.

Zero runtime deps

SecurityCore has no production dependencies. Smaller supply-chain surface, no transitive CVE exposure.

Every primitive is exported from tekivex-ui:

import {
sanitizeHref,
sanitizeUnicode,
scrubPII,
createRateLimiter,
installTrustedTypes,
installFrameBuster,
} from 'tekivex-ui';
// Sanitise a user-supplied URL before rendering it
<a href={sanitizeHref(userUrl)}>{label}</a>
// Strip log lines of identifying info
console.log(scrubPII(`User ${email} from ${ipAddress} signed in.`));
// ^- rendered as: User [redacted-email] from … signed in.
// Rate-limit a button to 5 clicks per second
const limiter = createRateLimiter({ tokens: 5, refillPerSecond: 5 });
function handleSubmit() {
if (!limiter.tryAcquire()) return;
// …
}

The same kernel ships as tekivex-security-core — framework-agnostic, usable in Node services, Deno edge functions, anywhere JS runs.

Terminal window
npm install tekivex-security-core

See the Ecosystem page for the full feature list.

tekivex-audit is a static-analysis CLI that catches the patterns SecurityCore can’t see at runtime — dangerouslySetInnerHTML without DOMPurify, missing rel="noopener", hardcoded API keys. Run it once:

Terminal window
npx tekivex-audit .

It found 9 errors and 67 warnings on the demo site itself the first time we ran it.