Skip to main content

Overview

The @overlayed/app/security module provides utilities to keep your application secure and prevent abuse.

assertNoProhibitedArgs

The assertNoProhibitedArgs function checks for prohibited command line arguments and exits the application if any are found. This prevents users from launching your app with flags that could:
  • Enable remote debugging
  • Disable security features
  • Open developer tools
  • Load unauthorized extensions
  • Bypass sandboxing

Basic Usage

We strongly recommend calling this function. Ideally, it should be called before any other code is executed.
import { assertNoProhibitedArgs } from "@overlayed/app/security";
import { overlayed } from "@overlayed/app";

// Check for prohibited arguments first
assertNoProhibitedArgs();

// Then initialize your electron app, overlayed, etc
const overlay = overlayed({
	// ...
});

Production-Only Usage

You may want to only enforce this check in production builds: 
import { assertNoProhibitedArgs } from "@overlayed/app/security";

if (import.meta.env.PROD) {
	assertNoProhibitedArgs();
}

Selectively Allowing Arguments

In some cases, you may need to allow specific arguments (e.g., for debugging in development): 
import { assertNoProhibitedArgs } from "@overlayed/app/security";

assertNoProhibitedArgs({
	args: {
		"--inspect": false, // Allow --inspect flag
	},
});

Prohibited Arguments

The following command line arguments are blocked by default:
  • --inspect
  • --inspect-brk
  • --inspect-port
  • --remote-debugging-port
  • --remote-debugging-address
  • --remote-debugging-pipe
  • --remote-allow-origins
  • --auto-open-devtools-for-tabs
  • --devtools
  • --disable-web-security
  • --allow-file-access-from-files
  • --allow-running-insecure-content
  • --unsafely-treat-insecure-origin-as-secure
  • --load-extension
  • --proxy-server
  • --proxy-bypass-list
  • --no-sandbox
  • --disable-gpu-sandbox