NestJS provides the structure, but developers provide the injection points. Here is the automated static analysis standard for enforcing architectural security across your entire NestJS fleet.
This plugin is for Node.js teams building APIs with NestJS.
Quick Install
npm install --save-dev eslint-plugin-nestjs-security
Flat Config
// eslint.config.js
import nestjsSecurity from "eslint-plugin-nestjs-security";
export default [nestjsSecurity.configs.recommended];
Rule Overview
| Rule | What it catches |
|---|---|
require-guards |
Controllers without @UseGuards |
require-class-validator |
DTOs without validation decorators |
require-throttler |
Auth endpoints without rate limiting |
no-exposed-private-fields |
Entities without @Exclude on sensitive |
no-missing-validation-pipe |
@body without ValidationPipe |
Run ESLint
npx eslint .
You'll see output like:
src/users/users.controller.ts
12:1 error 🔒 Controller missing @UseGuards decorator
Fix: Add @UseGuards(AuthGuard) to the controller or method
src/auth/dto/login.dto.ts
8:3 error 🔒 DTO property 'password' missing validation decorator
Fix: Add @IsString() @MinLength(8) decorators
src/users/entities/user.entity.ts
15:3 error 🔒 Sensitive field 'password' not excluded from serialization
Fix: Add @Exclude() decorator from class-transformer
Quick Wins
Guards
// ❌ Unprotected controller
@Controller('users')
export class UsersController {
@Get()
findAll() { ... }
}
// ✅ Protected with guards
@Controller('users')
@UseGuards(JwtAuthGuard)
export class UsersController {
@Get()
findAll() { ... }
}
DTO Validation
// ❌ No validation
export class CreateUserDto {
email: string;
password: string;
}
// ✅ Validated DTO
export class CreateUserDto {
@IsEmail()
email: string;
@IsString()
@MinLength(8)
password: string;
}
Custom Configuration
// eslint.config.js
import nestjsSecurity from "eslint-plugin-nestjs-security";
export default [
nestjsSecurity.configs.recommended,
{
rules: {
// Only require guards on specific routes
"nestjs-security/require-guards": [
"error",
{
excludePatterns: ["health", "public"],
},
],
// Warn instead of error for throttling
"nestjs-security/require-throttler": "warn",
},
},
];
Strongly-Typed Options (TypeScript)
// eslint.config.ts
import nestjsSecurity, {
type RuleOptions,
} from "eslint-plugin-nestjs-security";
const guardOptions: RuleOptions["require-guards"] = {
excludePatterns: ["health", "metrics"],
requireOnMethods: ["POST", "PUT", "DELETE"],
};
export default [
nestjsSecurity.configs.recommended,
{
rules: {
"nestjs-security/require-guards": ["error", guardOptions],
},
},
];
Quick Reference
# Install
npm install --save-dev eslint-plugin-nestjs-security
# Config (eslint.config.js)
import nestjsSecurity from 'eslint-plugin-nestjs-security';
export default [nestjsSecurity.configs.recommended];
# Run
npx eslint .
📦 npm: eslint-plugin-nestjs-security
📖 Full Rule List
The Interlace ESLint Ecosystem
Interlace is a high-fidelity suite of static code analyzers designed to automate security, performance, and reliability for the modern Node.js stack. With over 330 rules across 18 specialized plugins, it provides 100% coverage for OWASP Top 10, LLM Security, and Database Hardening.
Explore the full Documentation
© 2026 Ofri Peretz. All rights reserved.
Build Securely.
I'm Ofri Peretz, a Security Engineering Leader and the architect of the Interlace Ecosystem. I build static analysis standards that automate security and performance for Node.js fleets at scale.
Top comments (0)