New Personal Mail

    This package has been deprecated

    Author message:

    Project is no longer maintained

    TypeScript icon, indicating that this package has built-in type declarations

    1.0.3 • Public • Published

    MongoSecure Pre-merge Testing GitHub

    MongoSecure is a nodejs module as an express.js middleware to prevent potential NoSQL Injection flaws that might allow hackers exploit the application and do unauthorized activities

    I would like to thank x00 who gave me headstart to fix this issue and create a middleware for you. Originally asked question on stackoverflow

    Why you need this

    I have posted a complete article on about this showing how the application can be targeted and exploited against NoSQL Injection payloads.

    You can find my article posted here:

    Another reasons are as follows

    1. Fix the above mentioned vulnerability without any complexity
    2. Minimize the time to validate data and report it tainted
    3. Slimline and fast
    4. No additional skill/library required
    5. Does not change original value of req.body. SEE THIS


    • NodeJS 10+
    • Mongoose or MongoDB
    • Express 4+


    Install via NPM

    npm i @tbhaxor/mongo-secure

    Install via Yarn

    yarn add @tbhaxor/mongo-secure


    Require the package

    // es6
    import mongoSecure from '@tbhaxor/mongo-secure'
    import express from 'express'
    // commonjs
    const express = require('express')
    const mongoSecure = require('@tbhaxor/mongo-secure').default
    const app = express()
    app.use(mongoSecure({ limit: 2, replaceWith: 'Insecure Property Detected' })) // use it after `express.json` middleware

    To access the protected body, you can use req.protectedBody in the express router'/', function (req, res) {
      let myProtectedData = req.protectedBody
      res.json({ insecureData: req.body, securedData: myProtectedData })


    The function requires two option fields limit and replaceWith


    DEPRECATION!!! This is deprecated please use limit instead


    It is numerical field, that accept a number starting from 1. It is basically the max number of nesting to be deserialized. Any nested property which is instanceof Object after that would be replaced with the replaceWith


    It is a string feild that accepts any string, no contraint here. When the nested object hit the target limit, this text will be replaced with the object

    For example, is limit is 1 and replaceWith is Unprotected then,

    { "name": "Gurkirat", "username": "tbhaxor", "address": { "country": "India", "location": "New Delhi" } }

    would be converted as

    { "name": "Gurkirat", "username": "tbhaxor", "address": "Unprotected" }

    Using other tech stacks

    You can use mongo secure with other nodejs projects also. This module doesn't limits you to use expressjs.

    To leverage this module in other platform you can use this example


    You can be the developer of mongo-secure module. To setup the development environment,

    1. Fork the repository
    2. Clone the repository (git clone<user-name>/mongo-secure.git)
    3. Install the packages (yarn install)
    4. Start the development

    Test if your modification is working accurately or not

    yarn test

    Note If you are adding a feature, then you must include the test case in test/<feature-name>.spec.ts

    For more information read the Contributing Guidelines


    @tbhaxor/mongo-secure is licensed under MIT License

    Contact the Author

    Follow the links to reach me


    npm i @tbhaxor/mongo-secure

    DownloadsWeekly Downloads






    Unpacked Size

    24.4 kB

    Total Files


    Last publish


    • tbhaxor