Skip to main content

no-insecure-random

Disallow non-cryptographic randomness APIs for security-sensitive flows.

Targeted pattern scopeโ€‹

This rule targets insecure randomness APIs such as:

  • Math.random()
  • crypto.pseudoRandomBytes(...).

What this rule reportsโ€‹

This rule reports pseudo-random generators used in contexts where cryptographic-strength randomness is expected.

Why this rule existsโ€‹

Predictable random values can undermine tokens, passwords, keys, and related security controls.

โŒ Incorrectโ€‹

const token = `${Math.random()}`;
const bytes = crypto.pseudoRandomBytes(32);

โœ… Correctโ€‹

const bytes = crypto.randomBytes(32);
const browserBytes = crypto.getRandomValues(new Uint8Array(32));

ESLint flat config exampleโ€‹

import sdl from "eslint-plugin-sdl-2";

export default [
{
plugins: { sdl },
rules: {
"sdl/no-insecure-random": "error",
},
},
];

When not to use itโ€‹

Disable only for non-security simulation or test data where predictability is acceptable.

Package documentationโ€‹

Further readingโ€‹

Rule catalog ID: R020