Prototype-less Dictionaries for Security

Snippet

Prototype-less Dictionaries for Security

Objects created with 'Object.create(null)' have no prototype. This hardens applications against Prototype Pollution attacks because inherited properties cannot be shadowed or corrupted. It also improves performance for large lookups as the engine doesn't search the prototype chain.

snippet.js
javascript
const config = Object.create(null);
 
function setConfig(key, value) {
  config[key] = value;
}
 
// Prevents issues with keys like '__proto__'
setConfig('__proto__', { admin: true });
console.log(config.admin); // undefined
console.log(Object.getPrototypeOf(config)); // null

nodejs

Breakdown

const config = Object.create(null);

Creates a pure dictionary object with no built-in methods or prototype.

config[key] = value;

Safe property assignment even if 'key' is a reserved property name like 'constructor'.

Previous snippet Next snippet

More Expert JavaScript exercises →

From your library

Prototype-less Dictionaries for Security

Related